Best groupmember,
I am about to develop an simple admintool for a webpage. My webhost (crappy but nonexpensive) does not support HTTPS and I still want to be able to create some sort of secure login.
For the moment I am just using a form that sends the username and passwd with POST method that verifies the username and passwd in a script. When this is set I put a $_SESSION['usertype']="admin" and when a adminpage is beeing requested I check so that this sessionvariable is "admin", othervise I redirect to the loginpage and unset all session variables.
Can someone from outside set a $_SESSION variable with some "hacker" techniqe?
I assume it is easy to listen to the USERNAME and PASSWORD in the POST-form.
Someone with some tips and tricks to get a secure system without using HTTPS?
if you have no https you can try a javascript-solution
encode with a encode-key with javascript before sending and decode with a decode-key when recieving!
just what you need is key who can encode but not decode! und the appropriate decode key on the server, to decode it.
just try to look for some javascript in the web!
-- Sebastian Mendel
www.sebastianmendel.de www.warzonez.de www.tekkno4u.de www.nofetish.com www.sf.net/projects/phpdatetime www.sf.net/projects/phptimesheet
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
