|
|||||||||
|
|||||||||
|
|||||||||
 |
|||||||||
| |
||
|
|
|
|
|||||||||
|
|||||||||
|
|||||||||
|
|||||||||
| |
||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
ASP Free Forums Sponsor:
|
|
|
|
#1
March 22nd, 2006, 07:05 AM
|
|||
|
|||
|
POST vs GET
I'm having a small disagreement with a phpBB forum admin.
They have done something, I think accosiated with mod_rewrite, and now when you login when you are redirected the login info is displayed in the address bar. I complained about this. Not only the fact that it is blatently obvious to anyone looking, but it could also be cached, bookmarked or more easily susceptible to a brute force attack. The admin doesn't seem to be bothered and wonders why I have a problem with it. His only argument seems to be that with either POST or GET the headers are sent and are available to be grabbed, but I don't think that is the real point. I just think that having it in the open using GET would be a far greater risk at the client side level. Why bother with hashing/encrypting passwords if you can get them from the address bar? Any opinions would be welcomed 
|
|
#2
March 22nd, 2006, 07:08 AM
|
||||
|
||||
|
If the pass is shown in the url bar then thats not good at all, just don;t use his forum if he is anoying you
__________________
Practice safe design all ways use a concept. If I have been helpful please click the scales.
|
|
#3
March 22nd, 2006, 01:56 PM
|
||||
|
||||
|
I agree, if the password is visible on the url as-is (not even encoded) then
it's huge no no and that admin is nothing less than plain stupid. if only the username/userid is visible or the password is encoded then it's not so bad, but still it's much more standard to have it Posted.
|
|
#4
March 23rd, 2006, 06:25 AM
|
|||
|
|||
|
The strange thing is that the login form is using POST, but they have done some mods and since then there is a redirect and the details are shown in the qs.
I think it is a mod_rewrite mod for the forums. Anyway, I agree, plain stupid, but he stands by his statements of it not being an issue and asking me why I am concerned 
|
|
#5
March 23rd, 2006, 06:48 AM
|
||||||
|
||||||
|
Quote:
Ask him how he'd feel if his bank did that =8}
__________________
And he picked it all up... in his pick-up.  Friends of Shemzilla
|
|
#6
March 23rd, 2006, 07:16 AM
|
||||
|
||||
|
Quote:
if he claims it's not issue it just show how ignorant he is and lack common sense.
|
|
#7
March 23rd, 2006, 12:52 PM
|
||||
|
||||
|
I thought phpBB sha2 passwords and such by default, why would have to pass the clear password, unless as everyone else has said the admin is stupid and changed things so that everything is clear.
__________________
John Shepard Beyond The Impossible ----------------------------- Has a post helped you? Please show your apprecitation by clicking the  image in the right upper corner.Posting code? Put your code between [code] and [/code] tags. X-Login and X-Send Last edited by freeasphelp : March 23rd, 2006 at 12:54 PM.
|
|
#8
March 23rd, 2006, 12:58 PM
|
|||
|
|||
|
Quote:
LMAO!!! Very good argument!
__________________
jmurrayhead Did I help you out? Make me popular by clicking the icon!New Members:Proper way to post a question Powered by ASP.Net
|
|
#10
March 24th, 2006, 06:39 AM
|
||||
|
||||
|
tbh one could use the argument why are u using phpBB
__________________
|
|
#11
March 24th, 2006, 07:11 AM
|
||||||
|
||||||
|
Quote:
|
|
#12
March 24th, 2006, 07:23 AM
|
||||
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
