开发者

Send password from form on HTTP to php script on HTTPS

问答 作者:

I have a login form situated on my home page on HTTP. I want the user to type in their username and password there (as a shortcut) and then send the vari开发者_运维知识库ables to my login script on HTTPS.

Is it safe enough to do it this way? I really don't want the home page to run on HTTPS as well as it makes things slower without any gain really except safe variable transfer obviously, apologies if my terminology is wrong here.

Advice would be much appreciated.

// EDIT:

All passwords are hashed with SHA1 and a hashed salt [sha1(sha1(password).sha1(salt))] before inserted into the db, and this will happen on the login script on HTTPS before being authenticated against the db password

just change the action argument from your form to the HTTPS url you want to access :

<form action="https://www.example.com/login.php">

The data will be sent to this url using the HTTPS protocol. This is assuming you use a "normal" submit button and not some custom way to send the form.

edit: As suggested in other answer, once logged, ALL the traffic must be done in HTTPS to avoid cookies theft or other problems. Only the home page when not logged can be securely accessed trough HTTP, once the user has entered any login information, the subsequent traffic must be encrypted.

My suggestion is that if you care to encrypt username / password, you should care to encrypt the traffic as well. For example, how are you going to maintain state with a user login? Sessions? That relies on a cookie, which if someone were to intercept the session_id, they could impersonate that logged in user. So basically, if someone cares enough to intercept your usernames and passwords, they would care enough to sniff the plain text cookies, and achieve the same result.

Yes - the action of the form should point to https://blah.blah...

The protocol then dictates that the browser initiate a connection , swap encyptions keys , encrypt data and finally send.

The fact you are on a public page posting to a secure page is irrelevant.

继续阅读:authenticationhttphttpsphp

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9