I want to create a secure login, so I want to encrypt the password before I send it as POST parameter. I am doing it with a SHA1 javascript function.
Then I realize that if someone intercepts the encrypted password, he can use it right away. Sending it as a post parameter the same URL.
How can I be sure that the password comes from the login input field? Maybe with a PHP session? I don't want to use secure http yet. Anyone has a simple alternative?
How can I be sure that the password comes from the login input field?
You can't.
The closest thing to that is the usual defences against CSRF … but that will only stop people tricking users into submitting data from their site to your site. It won't protect passwords.
I don't want to use secure http yet. Anyone has a simple alternative?
HTTPS is the simple option.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With