[4157] in WWW Security List Archive
Re: adduser web page
daemon@ATHENA.MIT.EDU (Rob Muhlestein)
Tue Jan 28 19:52:26 1997
Date: Tue, 28 Jan 1997 12:32:35 -0800 (PST)
From: Rob Muhlestein <rmuhle@q7.com>
To: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SOL.3.91.970128170538.1981B-100000@sol.star.bris.ac.uk>
Errors-To: owner-www-security@ns2.rutgers.edu
> We should be 'enabling' each others thoughts by pointing out 'Dos and
> Donts', not attacking each other for trying things out.
Amen!
> - In the form submission process, use a 'POST' not a PUT.. as the PUT
> will leave the new password visible in the submitted URL. This is not a
> problem if the browser is closed after use, but it means that old and new
> passwords can be seen if you scan your access log files..
Steff, I think you might mean the GET method. I echo your advice.
PUT, until recent implementations involving WYSIWYG editors (i.e.
Netscape Gold, etc), has not been active in most servers because of the
obvious security issues associated with allowing a web server to
overwrite HTML documents with only flat-text password authentication.
Rob Muhlestein
SwooshNet Web Tech
NIKE, Inc.
(opinions are my own)
