开发者

Encrypted user credentials when they are transmitted

How can we encrypted user credentials when they are transmitted with php? (i开发者_如何学运维n login forms)

Thanks


"user credentials" are not just the username and password. A user credential is any data that is used for authentication. There is no point in using https for the login page if you just spill the session id a few milliseconds later by using http. The session id, is a credential and must be protected just like a username/password.

You must use https for the entire session. Spilling the session id over HTTP is a clear violation of The OWASP top 10: Broken Authentication and Session Management.


The best method is to use ssl (an https page) for your login


The easiest way is to use a form action that's a https url, e.g.:

<form action="https://example.com/target.php" method="post">

Alternatively, you could do some kind of digest authentication. The server would send a nonce and a challenge and you, via javascript, would use that data and the password to build a digest you'd send the server for it to check. For an example, see HTTP digest authentication.


You can use one of the following to prevent the password being sent over the line in plain text:

  • Use HTTPS.
  • Use HTTP Digest authentication.
  • Encrypt the password using Javascript.
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜