sde passwords

Steven Monai stevem at SPATIALMAPPING.COM
Thu Oct 27 10:01:41 PDT 2005


There is also an example in the mapfile documentation:

http://mapserver.gis.umn.edu/doc46/mapfile-
reference.html#variablesubstitution

Some things to think about if you're considering using this technique:

Cookies, like any other HTTP header, are sent over the wire in plain text,
so anyone who can sniff your network traffic can see them. And a cookie,
once set in your browser, is re-sent in *every* request to the origin
server, giving even casual sniffers plenty of opportunities to grab your
passwords.

Finally, even if your network traffic is secure, you need to be aware of
the kinds of cookies you use. Session cookies are fairly safe, since they
vanish when you close your browser. Persistent cookies are more dangerous,
since they will be stored in some browser-specific way that may be easy for
others to view. If you don't like the idea of storing your passwords in
plain text files, then you should not want your browser to do essentially
the same thing in its cookie-store.

Just my $0.02,
-SM
--


On Wed, 26 Oct 2005 11:55:44 -0500, Steve Lime <steve.lime at DNR.STATE.MN.US>
wrote:

>We've been using cookies as a way to pass a username/password to
>MapServer. For example, our application will prompt users for a username
>and password when they first try to hit an SDE layer and use session
>cookies to store it. Then via the MapServer CGI you can insert those
>cookies directly into the connection URL:
>
>  CONNECTIONTYPE SDE
>  CONNECTION "sde.dnr.state.mn.us,mycoverage,dummy,%username%,%password%"
>
>Steve
>
>>>> Kevin Flanders <kevin at PEOPLEGIS.COM> 10/26/05 10:59 AM >>>
>For connections to SDE, how are folks protecting password information?
>
>
>
>Kevin



More information about the MapServer-users mailing list