The only way to keep a password secure between the client and server is to
use a Secure Socket Layer (SSL) to create an encrypted channel of
communication between the client and server. You can see this in practice
over at Sourceforge.net. They use PHP over an SSL connection to handle user
logins.
Do a seach on Google for 'SSL' and start reading :)
- James
> -----Original Message-----
> From: Bill Rausch [mailto:[EMAIL PROTECTED]]
> Sent: January 25, 2001 4:54 PM
> To: [EMAIL PROTECTED]
> Subject: [PHP] password protection
>
>
> Hi all,
>
> This isn't strictly a PHP issue but is quite related. Given that you have
> a PHP-driven web site with user authorization and session
> identifiers etc.,
> what can you do to prevent electronic "snooping" of the clear
> text password
> that is passed from the browser to the server? When filling out a form,
> for example:
>
> Enter your user name and password:
> ...
> <FORM ACTION="<?=$PHP_SELF?>" METHOD="POST">
> <B>User Name:</B><BR>
> <INPUT TYPE="TEXT" NAME="newusername" VALUE="" SIZE="10" MAXLENGTH="15">
> <P>
> <B>Password:</B><BR>
> <INPUT TYPE="password" NAME="newpassword" VALUE="" SIZE="10"
> MAXLENGTH="15">
> <P>
> <INPUT TYPE="SUBMIT" NAME="submit" VALUE="Login">
> </FORM>
> ...
>
> the TYPE="password" makes sure the browser doesn't echo the password as it
> is typed but it is still sent to the web server as clear text. How do
> folks deal with this issue?
>
> Thanks,
> Bill
> ---
> Bill Rausch, Software Development, Unix, Mac, Windows
> Numerical Applications, Inc. 509-943-0861 [EMAIL PROTECTED]
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
