Re: You *can!!* overwrite username/password using an HTML form. Also, experts *please* see Q at end

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 34125
interpreted = N
texte = Well p@ssword and pass/word work fine if they go through the browser's authenticate dialog so I don't usually parse the password.Also, what's wrong with @, /, :, & as passwords in an HTML form? They'll be change to %whatever by the browser anyway.But, I have to agree with you if you use a username:password@domain.com URL.Clem.John Peacock wrote: > > Passwords with the @ symbol should be considered to be bad passwords for > HTML forms. In fact, you should probably limit the user to [0-9a-zA-Z] > (i.e. alphanumeric only, no symbols at all). Think about what would > happen if your user chose a password containing the / character... > > John Peacock > > Clement Ross wrote: > > > > Does the redirect work with a password that contains @? > > > > The reason I ask is that > > > > http://username:p@ssword@http://www.adomain.com > > and > > http://username:p%40ssword@http://www.adomain.com > > > > won't work when typed in the Location field in Netscape. > > > > Clem. > > > > John Butler wrote: > > > > > > For the record... > > > Brice Le Blevennec has been vindicated. > > > You *can!!* overwrite username/password using a custom HTML form, rather than requiring your users who need to access protected pages to go thru the browser's > > > authenticate dialog. > > > Brice is using the technique on Mac/Webstar and now it is working for me on Linux/Redhat. > > > > > > Here's Brices instructions- > > > ***** > > > It takes 4 pages (1->4) but works decently. Here is my code. > > > > > > I assume that .tpl pages goes through WC without the > > > tag. (I deleted all and tags) > > > > > > 1) Login.tpl > > >
> > >
> > > > > > 2) step1.tpl (this force the WC var in http headers) > > > [redirect http://[username]:[password]@http://www.adomain.com/step2.tpl] > > > > > > 3) step2.tpl (this remove them from the URL) > > > [include file=^protect.inc&groups=mygroup] > > > > > > > > > 4) step3.tpl (this redirect to a protected page) > > > [redirect http://www.adomain.com/anypage.tpl] > > > > > > 5) anypage.tpl (can be any page protected by Authenticate). > > > [include file=^protect.inc&groups=mygroup] Hello [username], [password]. > > > ***** > > > > > > I couldn't get it to work before because nowhere on MY test step2.tpl (see above) was there an [authenticate] or [protect] tag. One of those tags *must* be on the page > > > where the [redirect] goes (the [redirect] you use to construct the URL with the 'username:password' in it - see step1.tpl above) I don't understand why it needs to be > > > there, because even if you wrap it in a [showif] which will definately evaluate to false if *just* the username is valid (but the password doesn't have to be valid for > > > the [showif] to evaluate false) and login with a proper username but invalid password (thus the [showif] skips over the [authenticate]) it somehow still gets the username > > > and password that were input in the HTML form into the browsers's cache (at least that is where you guys tell me username and password live). But without that > > > [authenticate] it will never get into the browser's cache - whether the username is valid or not, and whether the password is valid or not (ie- under no circumstances). > > > I did tests using [elapsedtime] to see if webcat really does skip over things wrapped in a [showif] which evalutes to false and it does indeed seem to (as opposed to > > > reading the code and then removing it 'after the fact') , so then > > > > > > **** !!! WHY DOES the [authenticate] have to be on step2.tpl even if the user inputs a proper username which would skip over the tag in the first place?? !!! **** > > > > > > can anyone explain this very bizarre (but in this case advanatgeous) behaviour?? > > > ?? > > > -John > > > > > > ------------------------------------------------------------- > > > This message is sent to you because you are subscribed to > > > the mailing list . > > > To unsubscribe, E-mail to: > > > To switch to the DIGEST mode, E-mail to > > > Web Archive of this list is at: http://search.smithmicro.com/ > > > > ------------------------------------------------------------- > > This message is sent to you because you are subscribed to > > the mailing list . > > To unsubscribe, E-mail to: > > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://search.smithmicro.com/ > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > Web Archive of this list is at: http://search.smithmicro.com/------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: You *can!!* overwrite username/password using an HTML form. Also, experts *please* see Q at end (Clement Ross 2000)
  2. Re: You *can!!* overwrite username/password using an HTML form. Also, experts *please* see Q at end (John Butler 2000)
  3. Re: You *can!!* overwrite username/password using an HTML form. Also, experts *please* see Q at end (John Peacock 2000)
  4. Re: You *can!!* overwrite username/password using an HTML form. Also, experts *please* see Q at end (Clement Ross 2000)
  5. You *can!!* overwrite username/password using an HTML form. Also, experts *please* see Q at end (John Butler 2000)
Well p@ssword and pass/word work fine if they go through the browser's authenticate dialog so I don't usually parse the password.Also, what's wrong with @, /, :, & as passwords in an HTML form? They'll be change to %whatever by the browser anyway.But, I have to agree with you if you use a username:password@domain.com URL.Clem.John Peacock wrote: > > Passwords with the @ symbol should be considered to be bad passwords for > HTML forms. In fact, you should probably limit the user to [0-9a-zA-Z] > (i.e. alphanumeric only, no symbols at all). Think about what would > happen if your user chose a password containing the / character... > > John Peacock > > Clement Ross wrote: > > > > Does the redirect work with a password that contains @? > > > > The reason I ask is that > > > > http://username:p@ssword@http://www.adomain.com > > and > > http://username:p%40ssword@http://www.adomain.com > > > > won't work when typed in the Location field in Netscape. > > > > Clem. > > > > John Butler wrote: > > > > > > For the record... > > > Brice Le Blevennec has been vindicated. > > > You *can!!* overwrite username/password using a custom HTML form, rather than requiring your users who need to access protected pages to go thru the browser's > > > authenticate dialog. > > > Brice is using the technique on Mac/Webstar and now it is working for me on Linux/Redhat. > > > > > > Here's Brices instructions- > > > ***** > > > It takes 4 pages (1->4) but works decently. Here is my code. > > > > > > I assume that .tpl pages goes through WC without the > > > tag. (I deleted all and tags) > > > > > > 1) Login.tpl > > >
> > >
> > > > > > 2) step1.tpl (this force the WC var in http headers) > > > [redirect http://[username]:[password]@http://www.adomain.com/step2.tpl] > > > > > > 3) step2.tpl (this remove them from the URL) > > > [include file=^protect.inc&groups=mygroup] > > > > > > > > > 4) step3.tpl (this redirect to a protected page) > > > [redirect http://www.adomain.com/anypage.tpl] > > > > > > 5) anypage.tpl (can be any page protected by Authenticate). > > > [include file=^protect.inc&groups=mygroup] Hello [username], [password]. > > > ***** > > > > > > I couldn't get it to work before because nowhere on MY test step2.tpl (see above) was there an [authenticate] or [protect] tag. One of those tags *must* be on the page > > > where the [redirect] goes (the [redirect] you use to construct the URL with the 'username:password' in it - see step1.tpl above) I don't understand why it needs to be > > > there, because even if you wrap it in a [showif] which will definately evaluate to false if *just* the username is valid (but the password doesn't have to be valid for > > > the [showif] to evaluate false) and login with a proper username but invalid password (thus the [showif] skips over the [authenticate]) it somehow still gets the username > > > and password that were input in the HTML form into the browsers's cache (at least that is where you guys tell me username and password live). But without that > > > [authenticate] it will never get into the browser's cache - whether the username is valid or not, and whether the password is valid or not (ie- under no circumstances). > > > I did tests using [elapsedtime] to see if webcat really does skip over things wrapped in a [showif] which evalutes to false and it does indeed seem to (as opposed to > > > reading the code and then removing it 'after the fact') , so then > > > > > > **** !!! WHY DOES the [authenticate] have to be on step2.tpl even if the user inputs a proper username which would skip over the tag in the first place?? !!! **** > > > > > > can anyone explain this very bizarre (but in this case advanatgeous) behaviour?? > > > ?? > > > -John > > > > > > ------------------------------------------------------------- > > > This message is sent to you because you are subscribed to > > > the mailing list . > > > To unsubscribe, E-mail to: > > > To switch to the DIGEST mode, E-mail to > > > Web Archive of this list is at: http://search.smithmicro.com/ > > > > ------------------------------------------------------------- > > This message is sent to you because you are subscribed to > > the mailing list . > > To unsubscribe, E-mail to: > > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://search.smithmicro.com/ > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > Web Archive of this list is at: http://search.smithmicro.com/------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Clement Ross

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

my price won't move (1997) Virtual hosting and webcatNT (1997) Couple of questions II (1999) Showing Results Alphabetically in Columns (top to bottom) (2002) Unix line endings (2003) Mondo amounts of Mail [long] (1999) WebCat2b12 CGI Mac - [shownext] problem (1997) [WebDNA] Test 3 (2009) Notepad problems (1998) japanese characters (1997) shoppingcart reload qty (1997) More on the email templates (1997) Stock Quotes (2000) can webcat determine an image's pixel dimensions? (2000) ImageMagick on OSX (2003) Help! WebCat2 bug (1997) Erotic Sites (1997) WebCatalog 4 Install Problems - Not Answered ?? (2000) Reversing [ipaddress] normalization (1998) [TaxableTotal] - not working with AOL and IE (1997)