On Thu, 18 Nov 2004 12:41:01 +0100, Peter Lauri <peter@xxxxxxxx> wrote: > Best groupmember, > > My webhost (crappy > but nonexpensive) does not support HTTPS and I still want to be able to > create some sort of secure login. > > Someone with some tips and tricks to get a secure system without using > HTTPS? > > Not really that secure, but you could do this 1. When the login page is requested, the generate a random string from the server. Let's call this string STR. 2. On the browser, after the user enters his login name and password, DONT send this per se. Instead, do some operation on the password and STR and return this instead. (like concatenate STR and password, then do SHA1 hash it.) 3. Server performs the same operation with STR and the password in the database, and compares this with the value submitted from the client. So, in no time is the password itself sent. I'm sure there are SHA1 or at least MD5 functions already written in javascript. I know there is a term to this method, but it escapes me. HTH! ---- ramil http://ramil.sagum.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
