Clear text password in the URL
Hi Tarantella community
We designed a complex Typo3-System which authenticates against a Novel
E-Directory. This directory returns a list of applications a user is
allowed to work with. Typo3 is told to make links out of these application
names, the login and the password. On click these informations are sent to
our Tarantella Server which returns the apps.
There is only one problem: It's not very secure to have these links in
clear text on a webpage, even if this page is only visible for the
authenticated user. (If the user leaves his "cubicle" without logging off,
everybody would be able to figure out login and password by hovering above
the link)
My question is, whether Tarantella could be told to accept these
confidential information by an MD5 hash instead. And if not, are there
plans to implement this in future?
Patrick
[943 byte] By [
patrick] at [2007-11-25 20:53:26]
# 1
Hi Patrick
Can you explain why a username and password needs to be in the link? I
think that it should be possible to log in first using one web page
and then generate the necessary links. There are some examples at
http://<your server>/sgd/examples/
if you have not seen these already.
Regards
Barrie
On 2005-07-11, patrick <peichenberger@bs.wmc.ch> wrote:
> Hi Tarantella community
>
> We designed a complex Typo3-System which authenticates against a Novel
> E-Directory. This directory returns a list of applications a user is
> allowed to work with. Typo3 is told to make links out of these application
> names, the login and the password. On click these informations are sent to
> our Tarantella Server which returns the apps.
>
> There is only one problem: It's not very secure to have these links in
> clear text on a webpage, even if this page is only visible for the
> authenticated user. (If the user leaves his "cubicle" without logging off,
> everybody would be able to figure out login and password by hovering above
> the link)
>
> My question is, whether Tarantella could be told to accept these
> confidential information by an MD5 hash instead. And if not, are there
> plans to implement this in future?
>
> Patrick
>
# 2
Hi Barrie
First of all thanks a lot for your always immediate and competent support.
I'm not so sure, whether your suggestion would have solved the problem
this time. So I hacked a workaround by generating links only with the
application names and redirected to the same page, where login & password
are appended and the request to Tarantella is made.
It's not really sexy, but still smart. And - best of all - it works fine.
Thanks for all
Patrick
Barrie Cooper wrote:
> Hi Patrick
> Can you explain why a username and password needs to be in the link? I
> think that it should be possible to log in first using one web page
> and then generate the necessary links. There are some examples at
> http://<your server>/sgd/examples/
> if you have not seen these already.
> Regards
>Barrie
> On 2005-07-11, patrick <peichenberger@bs.wmc.ch> wrote:
> > Hi Tarantella community
> >
> > We designed a complex Typo3-System which authenticates against a Novel
> > E-Directory. This directory returns a list of applications a user is
> > allowed to work with. Typo3 is told to make links out of these application
> > names, the login and the password. On click these informations are sent to
> > our Tarantella Server which returns the apps.
> >
> > There is only one problem: It's not very secure to have these links in
> > clear text on a webpage, even if this page is only visible for the
> > authenticated user. (If the user leaves his "cubicle" without logging off,
> > everybody would be able to figure out login and password by hovering above
> > the link)
> >
> > My question is, whether Tarantella could be told to accept these
> > confidential information by an MD5 hash instead. And if not, are there
> > plans to implement this in future?
> >
> > Patrick
> >
