开发者

Send password from form on HTTP to php script on HTTPS

开发者 https://www.devze.com 2023-02-15 16:21 出处:网络
I have a login form situated on my home page on HTTP. I want the user to type in their username and password there (as a shortcut) and then send the vari开发者_运维知识库ables to my login script on HT

I have a login form situated on my home page on HTTP. I want the user to type in their username and password there (as a shortcut) and then send the vari开发者_运维知识库ables to my login script on HTTPS.

Is it safe enough to do it this way? I really don't want the home page to run on HTTPS as well as it makes things slower without any gain really except safe variable transfer obviously, apologies if my terminology is wrong here.

Advice would be much appreciated.

// EDIT:

All passwords are hashed with SHA1 and a hashed salt [sha1(sha1(password).sha1(salt))] before inserted into the db, and this will happen on the login script on HTTPS before being authenticated against the db password


just change the action argument from your form to the HTTPS url you want to access :

<form action="https://www.example.com/login.php">

The data will be sent to this url using the HTTPS protocol. This is assuming you use a "normal" submit button and not some custom way to send the form.

edit: As suggested in other answer, once logged, ALL the traffic must be done in HTTPS to avoid cookies theft or other problems. Only the home page when not logged can be securely accessed trough HTTP, once the user has entered any login information, the subsequent traffic must be encrypted.


My suggestion is that if you care to encrypt username / password, you should care to encrypt the traffic as well. For example, how are you going to maintain state with a user login? Sessions? That relies on a cookie, which if someone were to intercept the session_id, they could impersonate that logged in user. So basically, if someone cares enough to intercept your usernames and passwords, they would care enough to sniff the plain text cookies, and achieve the same result.


Yes - the action of the form should point to https://blah.blah...

The protocol then dictates that the browser initiate a connection , swap encyptions keys , encrypt data and finally send.

The fact you are on a public page posting to a secure page is irrelevant.

0

精彩评论

暂无评论...
验证码 换一张
取 消