Page 1 of 2

Username and Password Exposed

Posted: Thu Sep 05, 2002 9:28 am
by Love_Daddy
Hi Guys,

I have written a script to authenticate the username and password using forms.
So my problem is, when everything is okay, my username and password are displayed on the location
bar. that it'll give something like this:

http://localhost/login.php?username=Rom ... word=xxxxx

So how do I hide that?

Sessions

Posted: Thu Sep 05, 2002 9:32 am
by AVATAr
Why dont you use sessions?

Posted: Thu Sep 05, 2002 9:42 am
by lc
What I did with 1 of my scripts is to give every user a randomly generated code, and put that in the url along with other data... so you'd get. index.php?U=58DB9g Or something similar. If you use lots of letters and number the ammount of possible combos is such that it becomes... well not 100% secure, but hard enough to crack imho

Posted: Thu Sep 05, 2002 9:45 am
by volka
or switch to 'POST'-method. Those values aren't transmitted within the url

Posted: Thu Sep 05, 2002 9:53 am
by Love_Daddy
I'm using the Post-Method, so I'm reading about sessions at the moment.
And I'll let you know as soon as I'm finished.

Posted: Thu Sep 05, 2002 10:19 am
by Takuma
POST isn't the best way to do it since you have to use form to go to do the next page.

Posted: Thu Sep 05, 2002 10:19 am
by volka

Posted: Thu Sep 05, 2002 10:21 am
by gite_ashish
hi,
I'm using the Post-Method,
The FORM variaables are NOT displayed in the Query String (location bar) while using the POST method !

Either there is some problem with FORM submittion
-OR-
the URL http://localhost/login.php?username=Rom ... word=xxxxx is not the result of what we are talking about.

Posted: Thu Sep 05, 2002 10:23 am
by Takuma
I think "lc"'s idea is good becuase you can store the number in the mysql db or something and match it but the only problem is that you have to re-write all the links in the page...

Posted: Thu Sep 05, 2002 10:28 am
by volka
But the url refers to the login page. One way or another the real login data has to be transmitted.
From there on sessions or other mystical ( ;) ) mechanisms are ok.

Posted: Thu Sep 05, 2002 10:33 am
by Takuma
[quote="volka"]But the url refers to the login page.[quote] How do you mean by that?

Posted: Thu Sep 05, 2002 10:49 am
by volka
http://localhost/login.php?username=Rom ... word=xxxxx
login.php and a login/password-pair made me think it concerns a login procedure ;)

Posted: Thu Sep 05, 2002 11:16 am
by Takuma
I don't think sending user's passord through POST or URL are good idea since it's easy to get these hased or whatevered sting.

Posted: Thu Sep 05, 2002 11:45 am
by volka
what other ways are there for a login?

Posted: Thu Sep 05, 2002 1:06 pm
by m3mn0n
Many.

~Check authentication by a cookie (username).
~Basic grab match of user/pass from database.
~Grab match of user/pass from database w/ session and cookie.

I bet there is more but these are the ones im familiar with.