Well, you're getting the reason for the security methods mixed up.
First, SSL only means that no one can know what data is being sent between
you're computer and the destination server.
If a site doesn't use SSL than someone can, technically, 'sniff' your
username and password and thus gain access to the site as if it was you that
were doing the logging in.
Things like sessions are used to keep data from having to be sent over a
connection more than they need to be.
For instance, if you log in to a site in SSL and then surf the site
logged-on in non-SSL mode, you're username and password are safe from
sniffers. But it doesn't mean someone can't hijack your session, which is
why the password should never be sent back to the user from the server.
Passwords should be one-way, from the user to the server.
Sites that don't use SSL aren't neccessarily unsafe as long as no one uses a
packet-sniffer on any connections to the site. That can be a very big if,
which is why all important information such as login and credit card numbers
should be handled over SSL only.
Since PHP is server-side, it doesn't really do anything in particular for
security. The only security on _any_ connection is using encrypted transfers
and not sending important data in clear-text.
Plutarck
""Bass¨Ð¦õªv"" <[EMAIL PROTECTED]> wrote in message
9eilgb$mth$[EMAIL PROTECTED]">news:9eilgb$mth$[EMAIL PROTECTED]...
> Hi
>
> I have a question . At some website which have webmail serivce , they
won't
> use SSL for login .
> Then how can they protect clinet's information and email ??
>
> they use sessions when login in ??
> use sessions is secure ??
>
> Is there another security method in PHP ?
>
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
