Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

password sent via post secure? [duplicate]

Tags:

php

header

Possible Duplicate:
How secure is a HTTP POST?

Suppose I have a login page in php where a user is required to enter his name and password. form method is post in this case.

Now someone(my friend) told me that the information(username and password) that is entered and sent to the server can be hacked just by fetching the header of the resulting page generated. So you should encrypt the header and that is why HTTPS is used.

This didn't make sense to me because I thought the information (username and password) sent via post method are completely secure and just by header hacking one cannot have access to to the username and password.

Is my friend correct? If no is there any way to do such stuff for someone who has no access to the code? How can I send my private information via HTTPS (page to be coded in php)?

EDIT:

Data through get method is sent via header. Right? Is data through post also sent via header?

like image 876
Prasoon Saurav Avatar asked Jul 28 '10 14:07

Prasoon Saurav


People also ask

Is it safe to send password via POST?

It is a standard practice to send "plain text" passwords over HTTPS via POST method. As we all know the communication between client-server is encrypted as per TLS, so HTTPS secures the password.

Why are passwords sent in a separate email?

Having a strong and separate password for your email means that if cyber criminals steal the password for one of your less-important accounts, they can't use it to access your email account. The NCSC encourages people to use password managers, which can create strong passwords for you (and remember them).

Why POST is more secure than get?

GET is less secure than POST because sent data is part of the URL. POST is a little safer than GET because the parameters are stored neither in the browser history nor in the web server logs.


1 Answers

Your password is not secure if you just send it with POST - still visible and unencrypted, albeit a tiny bit less obvious.

Sending an unencrypted password via POST is the most insecure, yet still relatively sane way of doing this. (yes, there are less secure ways, but those are completely insane - sending a password form through GET is about as secure as broadcasting it on TV or printing it in the newspaper).

This is what a typical GET request looks like:

GET http://somedomain.example.com/path/file?here=are&the=GET&parameters=.
X-Some-Header: header content
X-Another-Header: 1

Here's a similar POST request (note that you can send both GET and POST parameters in a POST request):

POST http://somedomain.example.com/path/file?here=are&the=GET&parameters=.
X-Some-Header: header content
X-Another-Header: 1
Content-Length: 40

with_POST&=the&content=is&here_in=the&request=body

As you can see, HTTP is a completely plaintext protocol - there is no encryption performed on the data, so anyone can view and/or modify it in transit. Access to the code is not necessary at all - just watch the traffic and your data will be there, for anyone to see (you can verify this with tools such as Wireshark which allows you to view network traffic).

To remove this need to trust the whole world, HTTPS (S is for Secure) was created, which provides encryption ("only the sender and receiver can read it") and authentication ("the server is indeed yourserver.example.com, and not evilserver.example.net").

HTTPS is a wrapper around HTTP: where with HTTP, the client connects to the webserver and starts the conversation, HTTPS first establishes a secure SSL tunnel, and the HTTP communication goes through that. Setting up a HTTPS server is a bit more complex than HTTP, see e.g. this article.

like image 164
Piskvor left the building Avatar answered Sep 28 '22 04:09

Piskvor left the building