Greets,
I have a question about PHP and browser-side encryption. I currently
authenticate my users to an LDAP system using the PHP LDAP APIs. The user
enters their login name and password on a browser form, with the password
box being set to all '*'s for password. However, this information is sent
'plaintext' to the LDAP server, so an interloper could potentially sniff the
password off of the network.
The second issue is that I am also presented with a way in which to grab the
user's password, simply by saving the contents of the password field and
dumping it to a text file or database from the PHP code.
My question is: what is the best way for me to do an LDAP bind without
having access to the password in plaintext? Can I encrypt the password as
the user types it in on the browser window, so that no form type variables
can be "trapped" by PHP? SSL will address the encryption of the passwords
after they are sent to the LDAP server, but it is probably a little bit of
overkill to encrypt the entire stream. It also permits me to "steal"
passwords from the PHP side, which is a security consideration. What is the
best, easiest solution for me to follow?
Cheers,
Jason
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
