You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@turbine.apache.org by "Daniel, Matthew" <md...@amazon.com> on 2002/07/26 23:50:33 UTC

Parms exposed on the url

My team is putting together a web app using turbine 2.1, velocity 1.3, jdk 1.3 on Linux.  We require users to authenticate with a simple post form which we then process using a turbine action which does the actual checking then redirects to the portal page. All this is done through ssl with a non-trusted certificate.

The problem is that the user name and password end up on the url after the authentication action regardless of the success of login.  This means that this sensitive info ends up in the logs as well in $CATALINA_HOME/logs.  I've observed this behavior using Netscape 4.7 for win32 and Mozilla 1.0 for win32 and Linux.  It never happens when I use IE 6.0.  We have a lot of Linux desktop users so this is a show-stopper for us.  I should add that the parameters are only exposed once.  For example, once I'm logged in I can log out and then login again.  On the second login, the parameters are not on the url.  Ditto when I fail the first login attempt, subsequent attempts don't show the parameters.

Example:
(bad)-->
https://my-internal-server.com:8443/someapp/servlet/dwp/x/38/password/mycleartextpasswd/action/LDAPLoginUser/y/10/username/theuser

(good)
https://my-internal-server.com:8443/someapp/servlet/dwp/action/LDAPLoginUser

Anybody seen this before?  Got any suggestions?  Any tips would be much appreciated.


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Parms exposed on the url

Posted by Rodney Schneider <rl...@arcalink.com>.

On Sat, 27 Jul 2002 07:50, you wrote:

> The problem is that the user name and password end up on the url after the
> authentication action regardless of the success of login.  This means that
> this sensitive info ends up in the logs as well in $CATALINA_HOME/logs. 
> I've observed this behavior using Netscape 4.7 for win32 and Mozilla 1.0
> for win32 and Linux.  It never happens when I use IE 6.0.  We have a lot of
> Linux desktop users so this is a show-stopper for us.  I should add that
> the parameters are only exposed once.  For example, once I'm logged in I
> can log out and then login again.  On the second login, the parameters are
> not on the url.  Ditto when I fail the first login attempt, subsequent
> attempts don't show the parameters.
>
> Example:
> (bad)-->
> https://my-internal-server.com:8443/someapp/servlet/dwp/x/38/password/mycle
>artextpasswd/action/LDAPLoginUser/y/10/username/theuser
>
> (good)
> https://my-internal-server.com:8443/someapp/servlet/dwp/action/LDAPLoginUse
>r
>
> Anybody seen this before?  Got any suggestions?  Any tips would be much
> appreciated.

Hi Matthew,

The only way passwords can end up in the PATHINFO of the URL is if you are 
calling $link.addPathInfo() in your login template somewhere.

Instead, you should be using <input type="hidden"> tags for all the 
parameters...  although I am unsure why it works for you sometimes...  
perhaps some of the logic in your template is the problem.

You can always post your login template if you want someone on the list to 
give you some more feedback.

Regards,

-- Rodney

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>