This entry was posted on Monday, February 18th, 2008 at 1:26 pm and is filed under PHP. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
2 Responses to “Secure authentication without SSL”
I’ve been considering doing something similar for a project I’m working on. Only, if I were you, I’d include something like a hidden profile field to indicate whether you’re POSTing the password in cleartext or in the hashed format. That way, users without javascript can still log in, albeit less secure. Simply use a simple javascript to change the value of the hidden field for users who do have JS enabled.
Otherwise, I like it, and I’ll definitely borrow an idea or two from your setup for my project. Thanks!
Be careful, I’m writing a second post since we discovered a miss in this approach. Your proposition to let the javascript set up the type of authentication (plain text or hash) is a good point, I will add it later.
February 20, 2008 at 10:35 pm |
I’ve been considering doing something similar for a project I’m working on. Only, if I were you, I’d include something like a hidden profile field to indicate whether you’re POSTing the password in cleartext or in the hashed format. That way, users without javascript can still log in, albeit less secure. Simply use a simple javascript to change the value of the hidden field for users who do have JS enabled.
Otherwise, I like it, and I’ll definitely borrow an idea or two from your setup for my project. Thanks!
February 21, 2008 at 11:07 am |
Be careful, I’m writing a second post since we discovered a miss in this approach. Your proposition to let the javascript set up the type of authentication (plain text or hash) is a good point, I will add it later.