使用Perl CGI重定向时如何屏蔽url参数

Question

I have authenticate.cgi script which receives username/password and validates them.

If its a valid login, i redirect the page to myIndex.cgi by sending some parameters like start-date/username etc where a report is shown to the user.

If its a invalid login, i redirect to the previous page so username/password can be re-entered.

when i redirect to myIndex.cgi, the url shows all the parameters in url bar. Is there a way to mask them so the parameters and their values are not shown in the url.

is there a way to do it? Please let me know. thanks.

authenticate.cgi

#Redirect to login if invalid username/password or redirect to report page
if ( ( $username eq '' ) ||  ( $password eq '' ) )
{
        #print "not defined\n";
        $referrer = $ENV{HTTP_REFERER};
        print $query->redirect($referrer);
}
else
{
        $retStatus=verifyLogin($username,$password);
        my $myUser = $username;

        #Redirect to the caller
        if($retStatus eq "98")
        {

                $referrer = "http://projects.pjkeary.net/inspections_done_report/myIndex.cgi?start=2014-10-01&end=2014-10-31&exclude_dt=1&myUser=$myUser";
        }
        else
        {
                $referrer = $ENV{HTTP_REFERER};
        }
        print $query->redirect($referrer);
}
$referrer = $ENV{HTTP_REFERER};
print $query->redirect($referrer);

Answer 1

As already noted - you can't really do this with a POST at the same time as redirecting. But neither can you do it with a get, because that exposes auth credentials to anyone watching. (As noted below - just because it's POSTed doesn't make it in any way hidden - it's still sent in the clear, and trivially easy to intercept. It just doesn't appear as obviously in history or proxy logs)

You could perhaps embed the credentials in a cookie, but especially cross-site cookie passing is potentially unpleasant.

So what I would suggest is take a leaf from Kerberos' book. What Kerberos does is enable trusted third party authentication, by passing around encrypted and time limited tokens. http://en.wikipedia.org/wiki/Kerberos_%28protocol%29

So algorithmically you could:

• Create a public-private key pair.
• put the public key on the 'authenticator' server.
• put the private key on the 'destination' server.
• When someone authenticates successfully, generate a token that includes:
  • timestamp
  • source ip
  • username
  • sequence number or serial number (if you want to avoid re-use)
• Encrypt the token using the public key.
• Base 64 encode it, and pass it to the client as a parameter in the URL.

The destination server can trust the token, because it can decrypt it, and it's got enough information (time and source IP) to make it non trivial to steal and reuse the encryption token. And it then 'knows' that the user accessing is valid, and authenticated.

You could extend the 'token' to include any sensitive parameters you want to pass, and leave any you're happy to send in the clear.

Perl modules probably exist to do this, but I'm not familiar enough with them so instead:

openssl genrsa -out openssl_gen_rsa
openssl rsa -in openssl_gen_rsa -pubout -out openssl_gen_rsa.out 

Then take a 'plain text' file and encrypt it with the public key:

openssl rsautl -inkey openssl_gen_rsa.out -pubin -in test_file.txt -encrypt -out test_file.openssl.pub.enc

Base 64 encode it. (There's a base64 command on Linux, but Perl does built in stuff).

Then you decrypt using the private key:

openssl rsautl -inkey openssl_gen_rsa -in test_file.openssl.pub.enc -decrypt

Perl definitely has built in modules to do this though.