If you use the Autority HTTP that pops up a login window by default, is that safe against "listeners"? /Peter "Sebastian Mendel" <lists@xxxxxxxxxxxxxxxxxx> skrev i meddelandet news:20041118115027.94105.qmail@xxxxxxxxxxxxxxx > Peter Lauri wrote: > > Best groupmember, > > > > I am about to develop an simple admintool for a webpage. My webhost (crappy > > but nonexpensive) does not support HTTPS and I still want to be able to > > create some sort of secure login. > > > > For the moment I am just using a form that sends the username and passwd > > with POST method that verifies the username and passwd in a script. When > > this is set I put a $_SESSION['usertype']="admin" and when a adminpage is > > beeing requested I check so that this sessionvariable is "admin", othervise > > I redirect to the loginpage and unset all session variables. > > > > Can someone from outside set a $_SESSION variable with some "hacker" > > techniqe? > > > > I assume it is easy to listen to the USERNAME and PASSWORD in the POST-form. > > > > Someone with some tips and tricks to get a secure system without using > > HTTPS? > > if you have no https you can try a javascript-solution > > encode with a encode-key with javascript before sending and decode with > a decode-key when recieving! > > just what you need is key who can encode but not decode! und the > appropriate decode key on the server, to decode it. > > just try to look for some javascript in the web! > > -- > Sebastian Mendel > > www.sebastianmendel.de www.warzonez.de www.tekkno4u.de www.nofetish.com > www.sf.net/projects/phpdatetime www.sf.net/projects/phptimesheet -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
