Re: Sequrity without HTTPS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Peter Lauri wrote:
Best groupmember,

I am about to develop an simple admintool for a webpage. My webhost (crappy
but nonexpensive) does not support HTTPS and I still want to be able to
create some sort of secure login.

For the moment I am just using a form that sends the username and passwd
with POST method that verifies the username and passwd in a script. When
this is set I put a $_SESSION['usertype']="admin" and when a adminpage is
beeing requested I check so that this sessionvariable is "admin", othervise
I redirect to the loginpage and unset all session variables.

Can someone from outside set a $_SESSION variable with some "hacker"
techniqe?

I assume it is easy to listen to the USERNAME and PASSWORD in the POST-form.

Someone with some tips and tricks to get a secure system without using
HTTPS?

if you have no https you can try a javascript-solution

encode with a encode-key with javascript before sending and decode with a decode-key when recieving!

just what you need is key who can encode but not decode! und the appropriate decode key on the server, to decode it.

just try to look for some javascript in the web!

--
Sebastian Mendel

www.sebastianmendel.de www.warzonez.de www.tekkno4u.de www.nofetish.com
www.sf.net/projects/phpdatetime        www.sf.net/projects/phptimesheet

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux