This content has been marked as final. Show 3 replies
Hidden -- no. If the requirement is to pass the password in the url,
the url is visible. Other then your personal choice of not displaying
the URL tool bar which can switched usually under the view -> tool bars
menu. But this is not something a programmer can enforce on a user.
Encrypted -- yes. You can scramble and encrypt the value in many
manners. Of course this will require the system receiving the value to
understand how the password was scrambled and encrypted. So that would
depend on what capabilities this Hyperion system has.
> I'm using Coldfusion as my authentication method (CFLDAP) to verify username
> and password, once verified a list of links are available. . .once a link is
> selected, the user is sent to a totally different application called Hyperion
> and authentication is validated by the password and userid received thru the
> url. . .my only problem is the userid and password is displayed within the url.
> . .Is there a way to hide or encrypt the password to where it can't be
> displayed as the actual password within the url. . .I don't want anyone looking
> over my shoulder and see ing what my password is to login into Hyperion
> Any help would be appreciated!
this is poor design :( (sorry)
never send password as a url parameter
I agree that it is poor desing, nevertheless sometimes inevitable to pass login info either as (hidden-)form vars or even in an url-parameter.
Encryption is a must here, what is often forgotten is that a timestamp should also be included.
(Encrpyt(user & Chr(8) & password & Chr(8) & Now(), encryption_key)
Evaluating such a timestamp and enshuring is't not older then let's say 1 hour is the only way to enshure that such a logon-param cannot be copied and used forever.