ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi!
This is the (common and obvious) problem: how to securely send passwords via html forms, in case someone is sniffing your traffic?
Currently, in my web sites, I "encrypt" (md5) the password before submitting the form. Anyway, this does not seem to be a solution, because if you sniff the encrypted password, it is practically the same as sniffing the plain password, since you can HTTP POST it to the server and the result is the same as knowing the plain password.
So, I thought of doing this: instead of sending md5(password), I can send md5(password+session_id). Of course, this would mean that the user must accept the session cookie or anyway must transport the session id as a GET variable. My doubt is I don't know exactly how sessions and session ids work and are managed by php, so I'm not sure that it would be impossible to forge/copy a session id in order to use a previously sniffed encrypted password.
I would like to hear some comments/suggestions :-)
Thank you!
It seems to have everything one would need to be able to password protect a php site. It allows for password only access and username and password combination access. Omitting the user name sets it up for password only. If you choose to enable cookies the username and password only need to be entered once when accessing the site, otherwise the user will be prompted each time the page is refreshed or another page is selected from the site. The documentation seems to be very clear, and the site that I am directing you to is a forum with questions and answers that will probably enable you to successfully set up the form. I would guess that since it uses PHP it is probably passing plain-text information over the network. To successfully setup a password protected system would require that the password be transmitted with an encryption key. SSL was designed specifically for this purpose.
If you don't need actual security, having the server and some javascript generate some one-time-only nonce or salt would prevent people using the md5 hash to login.
If you need actual security, SSL is the way to go.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.