[Previous] [Next] [Index]
[Thread]
Re: Password protected pages?
I am no expert in this area, but these responses seem either incorrect or
obscure.
1. My understanding is that some java code can be hidden from the viewer
via the "View Source" option (i.e., selecting "View Source" will not reveal
it). This does not necessarily mean that people can not "capture" this
code, it just means that they can not easily view it from the "view source"
(in netscape).
2. I am not too familiar with a server's authentication scheme, but if
pages x, y, and z exist and x requires a password to access (and contains
two links to y and z), can I not just bypass it by making a bookmark at page
y and/or z within the secured area and then jumping directly to that page?
Sure I need the password once, but once I know where these pages are
located, can I not access them? Certainly in some security implementations
you can do this (I have done this before).
I am not trying to correct the original response, as I am not knowledgeable
enough in this area to make that statement, however, I am trying to point
our what I believe are some oversights. If they are not, well then I will
have learned something as well (assuming someone corrects these statements
if incorrect).
--- Ed.
----------
From: owner-www-security
To: cibir
Cc: www-security
Subject: Re: Password protected pages?
Date: Sunday, July 21, 1996 6:46PM
> What is the best way to protect a web page from:
>
> 1. People viewing the HTML code
None here. The browser has to get the HTML code to display it, and you
cannot prevent anyone from looking it.
> 2. Only allowing certain people with an account and password
> onto the page?
>
Use your server's prefered authentication scheme.
--
-+-+ Pierre-Yves BONNETAIN (aka Pyb)
Consultant Internet/Securite
Follow-Ups: