Re: [PHP] Quick question, a little 0T i guess... BASIC_AUTH or forms

Hi guys,

Thank you for your responses and your input.

"At the end of the day the best way to secure data being transferred from
client to server is to use SSL."

THAT I know ;) was just wondering from a normal http page... and you answered that question perfectly...so thanks again!

Would someone mind sending me that javascript in question, I dont think I will be using it but I would like to have a look at it.

Cheers!
R


Stut <stuttle@xxxxxxxxx> wrote: I think you meant to send this to the OP not me. And please also include
the list in your replies.

Tijnema ! wrote:
The best way is using a HTML form, and then adding a javascript ,that
runs before submitting, that encrypts the password with md5.

This offers little more security than plain text. Your "encryption"
mechanism is visible to the "bad guys", so all you've done is added an
extra no-brainer hurdle for them to get over.

At the end of the day the best way to secure data being transferred from
client to server is to use SSL.

-Stut

On 3/4/07, *Stut* > wrote:

Ryan A wrote:
> Quick question, one of our sites already uses BASIC_AUTH to take
the username and pass from clients, we were thinking of instead
doing it via a login form (so we can also add a CAPTCHA later...if
needed)
>
> what I would like to know is, by using a login form instead of a
BASIC_AUTH are we comprimising security in any way (for example if
someone is using a "sniffer") or does BASIC_AUTH have some kind of
extra inbuilt security that forms dont have that I am not aware of?

Basic authentication offers no more security than a form - the login
details are sent as plain text using both methods.

-Stut

--
PHP General Mailing List (http://www.php.net/ )
To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




------
- The faulty interface lies between the chair and the keyboard.
- Creativity is great, but plagiarism is faster!
- Smile, everyone loves a moron. :-)

---------------------------------
Don't get soaked. Take a quick peak at the forecast
with theYahoo! Search weather shortcut.

Relevant Pages

  • Re: Antw: Re: LDAP Authentication Problem
    ... TLSv1 und wird auf einen SSL Client Hello Request mit TLSv1 nicht ... antworten anstatt ein SSLv3 Server Hello. ... the LDAP PAM module and the shadow package. ...
    (de.comp.sys.novell)
  • Re: UnauthorizedAccessException when using MSDTC
    ... dispatcher2 is the user logged on the client pc. ... Event Source: Security ... Object Server: SC Manager ... Primary Domain: BLITZ ...
    (microsoft.public.data.ado)
  • Re: Routing and Remote Access - Authentication Failure
    ... because the real client computer can tunel through it's local NAT router, ... travel the Intrenet, join the VPN and access the server, when this feature ... Their security system decided that the server was trying to steel ...
    (microsoft.public.windows.server.networking)
  • SSL and IPS (was RE: ssh and ids)
    ... How many simultaneous SSL sessions can be tracked?" ... I assume you're talking about a case in which the client constantly ... If you walk the possible session id space and ... The server chooses the session ID, ...
    (Focus-IDS)
  • Re: WCF security advice (and clarification) needed
    ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
    (microsoft.public.dotnet.framework.webservices)