1

I have authenticate.cgi script which receives username/password and validates them.

If its a valid login, i redirect the page to myIndex.cgi by sending some parameters like start-date/username etc where a report is shown to the user.

If its a invalid login, i redirect to the previous page so username/password can be re-entered.

when i redirect to myIndex.cgi, the url shows all the parameters in url bar. Is there a way to mask them so the parameters and their values are not shown in the url.

is there a way to do it? Please let me know. thanks.

authenticate.cgi

#Redirect to login if invalid username/password or redirect to report page
if ( ( $username eq '' ) ||  ( $password eq '' ) )
{
        #print "not defined\n";
        $referrer = $ENV{HTTP_REFERER};
        print $query->redirect($referrer);
}
else
{
        $retStatus=verifyLogin($username,$password);
        my $myUser = $username;

        #Redirect to the caller
        if($retStatus eq "98")
        {

                $referrer = "http://projects.pjkeary.net/inspections_done_report/myIndex.cgi?start=2014-10-01&end=2014-10-31&exclude_dt=1&myUser=$myUser";
        }
        else
        {
                $referrer = $ENV{HTTP_REFERER};
        }
        print $query->redirect($referrer);
}
$referrer = $ENV{HTTP_REFERER};
print $query->redirect($referrer);
Mahesh
  • 45
  • 1
  • 3
  • 1
    Use a POST in submitting the data across. – Asheliahut Jan 20 '15 at 14:45
  • 1
    @Geohut — In a *redirect*?! – Quentin Jan 20 '15 at 14:46
  • 1
    I'd reorganise your code to use a single script as the entry point, and then just route to different parts of the script depending on need (so you don't need to tell the browser to request a different URL at all). Catalyst is good for that, although I'd look to FastCGI rather than plain CGI. – Quentin Jan 20 '15 at 14:47
  • http://stackoverflow.com/questions/5576619/php-redirect-with-post-data if you don't like this method then look into just being on a single page and doing Ajax calls to the data. Same thing will work with perl. – Asheliahut Jan 20 '15 at 14:49
  • @Quentin ---- Hi, Can you please tell me how would you reorganize this code? – Mahesh Jan 20 '15 at 15:18
  • As described in my comment. If you want more, then read up on the MVC pattern as it applies to web development. The Catalyst documentation might be a decent place to start. Or you could look at something a bit simpler like Dancer. – Quentin Jan 20 '15 at 15:27
  • This script just redirects. it does not have a form or any text field or submit button. it just redirects to 2 different pages based on a variable. Can i pass the url params using java script or ajax? how would you call a js function just on its own? can you please give me any link or a pointer? – Mahesh Jan 20 '15 at 15:29

1 Answers1

0

As already noted - you can't really do this with a POST at the same time as redirecting. But neither can you do it with a get, because that exposes auth credentials to anyone watching. (As noted below - just because it's POSTed doesn't make it in any way hidden - it's still sent in the clear, and trivially easy to intercept. It just doesn't appear as obviously in history or proxy logs)

You could perhaps embed the credentials in a cookie, but especially cross-site cookie passing is potentially unpleasant.

So what I would suggest is take a leaf from Kerberos' book. What Kerberos does is enable trusted third party authentication, by passing around encrypted and time limited tokens. http://en.wikipedia.org/wiki/Kerberos_%28protocol%29

So algorithmically you could:

  • Create a public-private key pair.
  • put the public key on the 'authenticator' server.
  • put the private key on the 'destination' server.
  • When someone authenticates successfully, generate a token that includes:
    • timestamp
    • source ip
    • username
    • sequence number or serial number (if you want to avoid re-use)
  • Encrypt the token using the public key.
  • Base 64 encode it, and pass it to the client as a parameter in the URL.

The destination server can trust the token, because it can decrypt it, and it's got enough information (time and source IP) to make it non trivial to steal and reuse the encryption token. And it then 'knows' that the user accessing is valid, and authenticated.

You could extend the 'token' to include any sensitive parameters you want to pass, and leave any you're happy to send in the clear.

Perl modules probably exist to do this, but I'm not familiar enough with them so instead:

openssl genrsa -out openssl_gen_rsa
openssl rsa -in openssl_gen_rsa -pubout -out openssl_gen_rsa.out

Then take a 'plain text' file and encrypt it with the public key:

openssl rsautl -inkey openssl_gen_rsa.out -pubin -in test_file.txt -encrypt -out test_file.openssl.pub.enc

Base 64 encode it. (There's a base64 command on Linux, but Perl does built in stuff).

Then you decrypt using the private key:

openssl rsautl -inkey openssl_gen_rsa -in test_file.openssl.pub.enc -decrypt

Perl definitely has built in modules to do this though.

Sobrique
  • 52,974
  • 7
  • 60
  • 101
  • 1
    Re. "you can't really do this with a POST at the same time as redirecting. But neither can you do it with a get, because that exposes auth credentials to anyone watching." If someone is already watching the HTTP requests, using `POST` will not magically hide the parameters (although it will prevent them from appearing in the browser history). – ThisSuitIsBlackNot Jan 20 '15 at 20:28