Languages
Feeds in the planet
English
Spanish
Nederlands
Japanese
Português
Czech
Deutsch
Login without HTTPS, how to secure?
Submitted by Derick Ng on 26 February 2010 - 2:43am
For a webapplication, when HTTPS is not available as a security measure, is it possible to still make the login somewhat secure? E.g.:
- Tokenize logins, to make repeat attacks difficult?
- Somehow encrypt the sent password from a HTML password field?
In particular I'm using CakePHP and an AJAX POST call to trigger authentication (includes provided username and password).
Update on the problem:
- HTTPS is not available. Period. If you don't like the the situation, consider it a theoretical question.
- There are no explicit requirements, you have whatever HTTP, PHP and a browser (cookies, JavaScript etc.) offers in real life (no magic RSA binaries, PGP plugins).
- Question is, what is the best, you can make out of this situation, that is better than sending the passwords plaintext. Knowing the drawbacks of each such solutions is a plus.
Similar entries
- Cake Php auth problem
- Cookie not renewing/overwriting in IE
- CakePHP: Clearing password field on failed submission
- Using the Security Component in CakePHP for SSL
- CakePHP password field is empty
- Tips to Secure Your Web Hosting Server
- Deploying a CakePHP app with Capistrano
- CakePHP Auth Component "login" Method Failure in IE8 + Safari
- CakePHP authentication breaking after an incorrect login
- Secure CakePHP via Sessions & Magic (Login / Logout)
Popular content
Today's:
All time:
