3 Replies Latest reply on Jul 25, 2006 7:29 AM by Stefan_K.

    Passing Password thru URL

    GSUSLUVS2 Level 1
      I'm using Coldfusion as my authentication method (CFLDAP) to verify username and password, once verified a list of links are available. . .once a link is selected, the user is sent to a totally different application called Hyperion and authentication is validated by the password and userid received thru the url. . .my only problem is the userid and password is displayed within the url. . .Is there a way to hide or encrypt the password to where it can't be displayed as the actual password within the url. . .I don't want anyone looking over my shoulder and see ing what my password is to login into Hyperion

      Any help would be appreciated!

      Melvin
        • 1. Re: Passing Password thru URL
          Level 7
          Hidden -- no. If the requirement is to pass the password in the url,
          the url is visible. Other then your personal choice of not displaying
          the URL tool bar which can switched usually under the view -> tool bars
          menu. But this is not something a programmer can enforce on a user.

          Encrypted -- yes. You can scramble and encrypt the value in many
          manners. Of course this will require the system receiving the value to
          understand how the password was scrambled and encrypted. So that would
          depend on what capabilities this Hyperion system has.

          GSUSLUVS2 wrote:
          > I'm using Coldfusion as my authentication method (CFLDAP) to verify username
          > and password, once verified a list of links are available. . .once a link is
          > selected, the user is sent to a totally different application called Hyperion
          > and authentication is validated by the password and userid received thru the
          > url. . .my only problem is the userid and password is displayed within the url.
          > . .Is there a way to hide or encrypt the password to where it can't be
          > displayed as the actual password within the url. . .I don't want anyone looking
          > over my shoulder and see ing what my password is to login into Hyperion
          >
          > Any help would be appreciated!
          >
          > Melvin
          >
          • 2. Re: Passing Password thru URL
            DJ_Jamba
            this is poor design :( (sorry)
            never send password as a url parameter
            • 3. Re: Passing Password thru URL
              Stefan_K. Level 1
              I agree that it is poor desing, nevertheless sometimes inevitable to pass login info either as (hidden-)form vars or even in an url-parameter.

              Encryption is a must here, what is often forgotten is that a timestamp should also be included.
              Example:
              (Encrpyt(user & Chr(8) & password & Chr(8) & Now(), encryption_key)
              Evaluating such a timestamp and enshuring is't not older then let's say 1 hour is the only way to enshure that such a logon-param cannot be copied and used forever.