How do I handle user authorization the safest way?

Question

I'm developing a small website where I'm going to allow user to create accounts but I'm quite clueless when it comes to safety around authorizations.

I have built my project in PHP with codeigniter and found a library (Tank Auth) that could handle authorization for me. It stores password in a safe way but I'm still worried about the part when the user sends their password to my server.

One easy way to do it would be to send the password in a post-request but I would guess that it's quite easy to sniff such a password. Should I do something with the password on the client side before sending it to my server? And is there any good javascript libraries for this?

Answer 1

As others have said SSL is the prefered way to go.

David Wotever metioned hashing - there's a detailled discussion of the process here

An alternative approach would be to rely exclusively on external providers to handle your authentication for you - openid being the most obvious candidate.

HTH

C.

Answer 2

You can muck around with client-side hashing, but in general POSTing the credentials over a secure (HTTPS) connection is considered sufficient.

This still leaves the possibility of MITM attacks… But performing an MITM attack on an SSL connection isn't entirely trivial, so it's probably not an attack vector you need to be too concerned with.