[4487] in WWW Security List Archive
Re:Question about User Identity (CGI scripting)
daemon@ATHENA.MIT.EDU (David Ray)
Wed Feb 19 04:42:18 1997
Date: Wed, 19 Feb 1997 00:02:33 -0800
To: www-security@ns2.rutgers.edu
From: daver@idiom.com (David Ray)
Cc: Jim Harmon <jim@telecnnct.com>
Errors-To: owner-www-security@ns2.rutgers.edu
At 12:34 PM 2/18/97, Jim Harmon wrote:
> [snip]
>
> Without getting into login scripts for our IntraNet, is there a way for
> me to capture the user's real account name via his/her browser? ...
> Is there a way to include or discover that information in the CGI
> Script?
Years ago, some of the early browsers like Mosaic sent this information in the $REMOTE_USER environment variable, but it was considered a violation of privacy among users and this feature was dropped from all browsers since then.
In fact, when JavaScript hackers found a way to capture the user's email address through JavaScript, Netscape considered it to be a bug in the browser and fixed it so that the email address could no longe be captured.
-Dave
