Re: [PHP] Encryption (Browser Side)

Mon, 23 Apr 2001 11:09:48 -0700 

Don't know much about LDAP so I can't answer those questions, but the only
way (short of creating/requiring a plug-in just to encrypt the data, which
isn't a good idea) to have the user send an encrypted password is to use SSL
on the login/creation page. That means you can't ever send their password
through the url of a non-SSL page for security, but you shouldn't do that
anyway.

That's the only "browser side" encryption that all browsers support.


--
Plutarck
Should be working on something...
...but forgot what it was.


""Jason Mowat"" <[EMAIL PROTECTED]> wrote in message
9c1rja$5kp$[EMAIL PROTECTED]">news:9c1rja$5kp$[EMAIL PROTECTED]...
> Greets,
>
> I have a question about PHP and browser-side encryption.  I currently
> authenticate my users to an LDAP system using the PHP LDAP APIs.  The user
> enters their login name and password on a browser form, with the password
> box being set to all '*'s for password.  However, this information is sent
> 'plaintext' to the LDAP server, so an interloper could potentially sniff
the
> password off of the network.
>
> The second issue is that I am also presented with a way in which to grab
the
> user's password, simply by saving the contents of the password field and
> dumping it to a text file or database from the PHP code.
>
> My question is: what is the best way for me to do an LDAP bind without
> having access to the password in plaintext?  Can I encrypt the password as
> the user types it in on the browser window, so that no form type variables
> can be "trapped" by PHP?  SSL will address the encryption of the passwords
> after they are sent to the LDAP server, but it is probably a little bit of
> overkill to encrypt the entire stream.  It also permits me to "steal"
> passwords from the PHP side, which is a security consideration.  What is
the
> best, easiest solution for me to follow?
>
> Cheers,
> Jason
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to