passwords to CGI

[Paul Rubin]

hwlgw at hotmail.com (Will Stuyvesant) writes:
>     <input type=password name=pwd>
> 
> is scary for a user since he sees the pwd appearing in the url the
> browser calls.  This is when you use the GET method (I'd rather not
> use POST, see below).  Is there a way to encrypt a password before
> it is sent?  Maybe completely different HTML?  I know about the
> getpass module but I want the user to be able to only use his browser.

You should stop looking for kludgy workarounds and fix whatever is
wrong with POST.  POST is the right way to deal with this type of thing.
Otherwise the password appears not only in the browser but also in
the server http log.  

Alternatively, instead of submitting a password to a cgi, use HTTP
Basic authentication.  That lowers your UI flexibility a little bit,
but makes the server side programming a little simpler.
 
> - The POST method does only work a first time, when using IE.  After
>   that the server hangs.  I read about a fix (reading LF characters
>   or something) and a solution promised in the next Python 2.3.  But
>   I lost the fix.

You have to consider this a critical bug.  Do whatever it takes to
find a fix or fix it yourself.  There's currently a 2.3 alpha release
out there; maybe you can backport the fix.  Or if necessary, set up an
Apache proxy server in front of your CGIHTTPServer
 
> Could you recommend an easy fix to CGIHTTPServer or recommend a
> small free downloadable CGI server to use on Windows XP.

If you don't want the overhead of Apache, there are a bunch of
smaller servers at www.acme.com.  You might try thttpd or mini_httpd.