Facing the same challenge, the best I could come up with was: * Client gets a (session-based) nonce from the web server * Password is combined with the nonce and then hashed * Using JSON-P, send the request by GET to the login script over HTTPS with username & the hash * Server checks the hash matches the hash of the password + the nonce and sends a JSON response indicating success/fail and other login info
HTTPS gives you the encryption; the nonce gives some protection from the URI being stolen (GET will include the password hash in the URI), by making it session specific This only works if the server has access to the full user password; if only a hash of the password is stored, then this won't work David On Oct 22, 5:31 pm, Kovács Gábor <mach3...@gmail.com> wrote: > Hi all, > > I would like to implement a login functionality to my website. I've written > a login form like > this:http://web-kreation.com/demos/Sliding_login_panel_jquery. > > The problem is: how can I send the username and password to the server in a > securely way? I mean, if the server sends the whole page in HTTP then the > user wants to log in, he would not be able to send it in HTTPS, unless the > server sends the login page to the user in HTTPS. But I would like this > thing to happen with no full page refresh. Is there any way I could do it? > Thanks in advance. > > Gábor > > //sorry for my english
