Re: [PHP] Re: Sequrity without HTTPS?
--- Peter Lauri <[EMAIL PROTECTED]> wrote: > If you use the Autority HTTP that pops up a login window by > default, is that safe against "listeners"? Assuming you mean HTTP Basic Authentication, it is not encrypted, so it is not "safe" from snooping. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming February 2005http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Sequrity without HTTPS?
On 11/18/2004 10:23 AM, Peter Lauri wrote: If you use the Autority HTTP that pops up a login window by default, is that safe against "listeners"? It depends on the authentication method. Basic authentication method passes passwords as base64 encoded plain text. Digest and even NTLM are safer because the actual passwords are not sent without encryption. -- Regards, Manuel Lemos PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/ Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Sequrity without HTTPS?
Peter Lauri wrote: If you use the Autority HTTP that pops up a login window by default, is that safe against "listeners"? IMHO, the login-data is sent as plain text also, and this with every subsequent request! and not only with the first! -- Sebastian Mendel www.sebastianmendel.de www.warzonez.de www.tekkno4u.de www.nofetish.com www.sf.net/projects/phpdatetimewww.sf.net/projects/phptimesheet -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Sequrity without HTTPS?
If you use the Autority HTTP that pops up a login window by default, is that safe against "listeners"? /Peter "Sebastian Mendel" <[EMAIL PROTECTED]> skrev i meddelandet news:[EMAIL PROTECTED] > Peter Lauri wrote: > > Best groupmember, > > > > I am about to develop an simple admintool for a webpage. My webhost (crappy > > but nonexpensive) does not support HTTPS and I still want to be able to > > create some sort of secure login. > > > > For the moment I am just using a form that sends the username and passwd > > with POST method that verifies the username and passwd in a script. When > > this is set I put a $_SESSION['usertype']="admin" and when a adminpage is > > beeing requested I check so that this sessionvariable is "admin", othervise > > I redirect to the loginpage and unset all session variables. > > > > Can someone from outside set a $_SESSION variable with some "hacker" > > techniqe? > > > > I assume it is easy to listen to the USERNAME and PASSWORD in the POST-form. > > > > Someone with some tips and tricks to get a secure system without using > > HTTPS? > > if you have no https you can try a javascript-solution > > encode with a encode-key with javascript before sending and decode with > a decode-key when recieving! > > just what you need is key who can encode but not decode! und the > appropriate decode key on the server, to decode it. > > just try to look for some javascript in the web! > > -- > Sebastian Mendel > > www.sebastianmendel.de www.warzonez.de www.tekkno4u.de www.nofetish.com > www.sf.net/projects/phpdatetimewww.sf.net/projects/phptimesheet -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Sequrity without HTTPS?
Peter Lauri wrote: Best groupmember, I am about to develop an simple admintool for a webpage. My webhost (crappy but nonexpensive) does not support HTTPS and I still want to be able to create some sort of secure login. For the moment I am just using a form that sends the username and passwd with POST method that verifies the username and passwd in a script. When this is set I put a $_SESSION['usertype']="admin" and when a adminpage is beeing requested I check so that this sessionvariable is "admin", othervise I redirect to the loginpage and unset all session variables. Can someone from outside set a $_SESSION variable with some "hacker" techniqe? I assume it is easy to listen to the USERNAME and PASSWORD in the POST-form. Someone with some tips and tricks to get a secure system without using HTTPS? if you have no https you can try a javascript-solution encode with a encode-key with javascript before sending and decode with a decode-key when recieving! just what you need is key who can encode but not decode! und the appropriate decode key on the server, to decode it. just try to look for some javascript in the web! -- Sebastian Mendel www.sebastianmendel.de www.warzonez.de www.tekkno4u.de www.nofetish.com www.sf.net/projects/phpdatetimewww.sf.net/projects/phptimesheet -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
