Reputation: 5802
Encrypted user credentials when they are transmitted
How can we encrypted user credentials when they are transmitted with php? (in login forms)
Thanks
Upvotes: 2
Views: 2833
Answers (4)
Reputation: 67019
"user credentials" are not just the username and password. A user credential is any data that is used for authentication. There is no point in using https for the login page if you just spill the session id a few milliseconds later by using http. The session id, is a credential and must be protected just like a username/password.
You must use https for the entire session. Spilling the session id over HTTP is a clear violation of The OWASP top 10: Broken Authentication and Session Management.
Upvotes: 3
Reputation: 75619
You can use one of the following to prevent the password being sent over the line in plain text:
- Use HTTPS.
- Use HTTP Digest authentication.
- Encrypt the password using Javascript.
Upvotes: 3
Reputation: 97835
The easiest way is to use a form action that's a https url, e.g.:
<form action="https://example.com/target.php" method="post">
Alternatively, you could do some kind of digest authentication. The server would send a nonce and a challenge and you, via javascript, would use that data and the password to build a digest you'd send the server for it to check. For an example, see HTTP digest authentication.
Upvotes: 3
Related Questions
- Encrypting Passwords
- encryption with php
- Securring stored password
- Sending passwords to server in a secure way
- User decryption/encryption in PHP | storing key in session
- Securing Session for login
- Encryption between web service users
- PHP security - password and credentials management?
- Securely storing user credentials in DB, for PHP web application
- encrypting password using php