Paul's Resource Site

Psychophanta · Post by **Psychophanta** » Sun Jun 29, 2003 12:08 pm

Hallo, Paul.

As a wish, at your site i miss the posibility about to delete or edit a user resource "in situ".

I mean, each user, with his own name and pass to your site, could change, or delete his own snippet, app, game, etc.

fsw · Post by **fsw** » Tue Jul 15, 2003 5:45 pm

Hi Paul,
when I go to your site and see in the URL field:

http://www.reelmediaproductions.com/cgi ... MYPASSWORD

How comes

Don't you think that this is a security hole

Well I do

Never ever I see my password in the URL field.

Besides: I didn't sign up to your site.

The only thing I did over an year ago was to sign-up in your forum that you had back then.

I don't think it's appropriate to get a password from a forum database and publish it in the URL field of a Internet client or use it for a different purpose like as user information for your site.

Is there a possibility to kill my whole data in your database

Karbon · Post by **Karbon** » Fri Jul 18, 2003 10:04 pm

While odd, it's not anymore insecure than anything else not encrypted (SSL). The only additional security hazard I can see is if you were to give that link to someone without seeing that it contained your username and password..

Generally the way I do my web based login stuff is the username and password is passed from the client to the server once, and generally over SSL. Then a "logged in" flag (either a cookie or other session variable) is set to true and a "permission" value is associated with the session to control user access..