468,526 Members | 2,133 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,526 developers. It's quick & easy.

Could anyone explain this Yahoo! source code?

Hello, friends,

I am implementing web app security using asp.net 1.1, and I found the
following source code from Yahoo! Mail login page:

<form method="post" action="https://login.yahoo.com/config/login?"
autocomplete="off" name="login_form">
<input type="hidden" name=".tries" value="1">
<input type="hidden" name=".src" value="ym">
<input type="hidden" name=".md5" value="">
<input type="hidden" name=".hash" value="">
<input type="hidden" name=".js" value="">
<input type="hidden" name=".last" value="">
<input type="hidden" name="promo" value="">
<input type="hidden" name=".intl" value="us">
<input type="hidden" name=".bypass" value="">
<input type="hidden" name=".partner" value="">
<input type="hidden" name=".u" value="f1071nt25i290">
<input type="hidden" name=".v" value="0">
<input type="hidden" name=".challenge"
value="GqALcs.FldrEC7Y6w.typSitjV1D">
<input type="hidden" name=".yplus" value="">
<input type="hidden" name=".emailCode" value="">
<input type="hidden" name="pkg" value="">
<input type="hidden" name="stepid" value="">
<input type="hidden" name=".ev" value="">
<input type="hidden" name="hasMsgr" value="0">
<input type="hidden" name=".chkP" value="Y">
<input type="hidden" name=".done" value="http://mail.yahoo.com">
<table id="yreglgtb" summary="form: login information">
<tr>
<th><label for="username">Yahoo! ID:</label></th>
<td><input name="login" id="username" value="" size="17"
class="yreg_ipt" type="text"></td>
</tr>
<tr>
<th><label for="passwd">Password:</label></th>
<td><input name="passwd" id="passwd" value="" size="17"
class="yreg_ipt" type="password"></td>
</tr>

</table>
<p><input type="checkbox" id="persistent" name=".persistent" value="y">
<label for="persistent">Remember my ID on this computer</label></p>
<p class="yreglgsb"><input type="submit" value="Sign In"></p>
</form>
When a user clicks on Sign In submit button, it sends username & passwd to
https://login.yahoo.com/config/login. for authentication.

However, what I don't understand is: I thought after a user sends his/her
username & passwd, but before his/her request arrives Yahoo! server being
taken care of by https://login.yahoo.com/config/login, there is NO SSL.

If I was right, then, it did NOT make sense to use https here, since
username & passwd had been transferred in plain text through internet already.

Could anyone explain this to me? It really puzzled me.

Thanks a lot.

May 4 '06 #1
1 3351
you go to a non secure page (the yahoo login page) and enter your username
and password into the text box. At this point nothing is insecure because
the information you've entered only exists on your computer - it hasn't been
submitted over the internet. You hit submit, the browser does a new request
to the action address, in this case it's under SSL and sends along the
username/passwords you entered in the box. This information is encrypted
because the request is made over SSL.

You seem to be thinking that because you enter information in a non-SSL
page, then the information is submitted without encryption. But the
information is submitted as part of the request initiated by the form submit
to the form action, which is using ssl.

Karl

--
http://www.openmymind.net/

"Andrew" <An****@discussions.microsoft.com> wrote in message
news:1D**********************************@microsof t.com...
Hello, friends,

I am implementing web app security using asp.net 1.1, and I found the
following source code from Yahoo! Mail login page:

<form method="post" action="https://login.yahoo.com/config/login?"
autocomplete="off" name="login_form">
<input type="hidden" name=".tries" value="1">
<input type="hidden" name=".src" value="ym">
<input type="hidden" name=".md5" value="">
<input type="hidden" name=".hash" value="">
<input type="hidden" name=".js" value="">
<input type="hidden" name=".last" value="">
<input type="hidden" name="promo" value="">
<input type="hidden" name=".intl" value="us">
<input type="hidden" name=".bypass" value="">
<input type="hidden" name=".partner" value="">
<input type="hidden" name=".u" value="f1071nt25i290">
<input type="hidden" name=".v" value="0">
<input type="hidden" name=".challenge"
value="GqALcs.FldrEC7Y6w.typSitjV1D">
<input type="hidden" name=".yplus" value="">
<input type="hidden" name=".emailCode" value="">
<input type="hidden" name="pkg" value="">
<input type="hidden" name="stepid" value="">
<input type="hidden" name=".ev" value="">
<input type="hidden" name="hasMsgr" value="0">
<input type="hidden" name=".chkP" value="Y">
<input type="hidden" name=".done" value="http://mail.yahoo.com">
<table id="yreglgtb" summary="form: login information">
<tr>
<th><label for="username">Yahoo! ID:</label></th>
<td><input name="login" id="username" value="" size="17"
class="yreg_ipt" type="text"></td>
</tr>
<tr>
<th><label for="passwd">Password:</label></th>
<td><input name="passwd" id="passwd" value="" size="17"
class="yreg_ipt" type="password"></td>
</tr>

</table>
<p><input type="checkbox" id="persistent" name=".persistent"
value="y">
<label for="persistent">Remember my ID on this computer</label></p>
<p class="yreglgsb"><input type="submit" value="Sign In"></p>
</form>
When a user clicks on Sign In submit button, it sends username & passwd to
https://login.yahoo.com/config/login. for authentication.

However, what I don't understand is: I thought after a user sends his/her
username & passwd, but before his/her request arrives Yahoo! server being
taken care of by https://login.yahoo.com/config/login, there is NO SSL.

If I was right, then, it did NOT make sense to use https here, since
username & passwd had been transferred in plain text through internet
already.

Could anyone explain this to me? It really puzzled me.

Thanks a lot.

May 4 '06 #2

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by DickChristoph | last post: by
3 posts views Thread by Ranyart Olias | last post: by
4 posts views Thread by Chris | last post: by
2 posts views Thread by Buck Nuggets | last post: by
2 posts views Thread by Alek Davis | last post: by
7 posts views Thread by gretean | last post: by
1 post views Thread by jane | last post: by
reply views Thread by NPC403 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.