Re: [PHP] protecting passwords when SSL is not available

r help Satyam - Original Message - From: "Evan Priestley" <[EMAIL PROTECTED]> To: "Satyam" <[EMAIL PROTECTED]> Cc: Sent: Monday, March 27, 2006 5:41 PM Subject: Re: [PHP] protecting passwords when SSL is not available This is called a "nonce"[1], a

Re: [PHP] protecting passwords when SSL is not available

- Original Message - From: "Evan Priestley" <[EMAIL PROTECTED]> To: "Satyam" <[EMAIL PROTECTED]> Cc: Sent: Monday, March 27, 2006 11:58 PM Subject: Re: [PHP] protecting passwords when SSL is not available The client cannot and does not send the session_id(

Re: [PHP] protecting passwords when SSL is not available

on to spoofing. Anyway, this is a poor man replacement for SSL, with limitations, but it is good to know what are those limitations. Thanks for your help Satyam - Original Message - From: "Evan Priestley" <[EMAIL PROTECTED]> To: "Satyam" <[EMAIL PROT

Re: [PHP] protecting passwords when SSL is not available

Cc: Sent: Monday, March 27, 2006 5:41 PM Subject: Re: [PHP] protecting passwords when SSL is not available This is called a "nonce"[1], and the method you've described will give you marginally less awful security than submitting a plaintext password or an unadulterated hash of t

Re: [PHP] protecting passwords when SSL is not available

This is called a "nonce"[1], and the method you've described will give you marginally less awful security than submitting a plaintext password or an unadulterated hash of the password, but, obviously, is in no way a substitute for real SSL. For instance, if this password puts the session in