|
| JavaScript doesn't implement any kind of one-way hashing. But that's for a
| good reason: suppose JavaScript encoded your password and sent it encoded to
| the server. The in-between hacker would retrieve the encoded password as it
| is sent to the server and simply pass that as the password - he doesn't ever
| need to know your undencoded password to break in, since the server expects
| it to be encoded anyway!
and what about those guys who visit your site, download your page with the
javascript encoder in the source HTML, and finds out how a crypted password
can be decrypted?
I 'm not aware of how the javascript source can be hidden.
| So you're only left with SSL for proper security...
Yes. SSL must be developed for reasons of this kind.
|
| HTTP_AUTH is just another way of sending the unsername and password as plain
| text -- it's just more comfortable to use than checking if you have proper
| credeintials in every page. My personal recommendation is to forget about
| HTTP_AUTH and use SSL plus phplib for proper security.
Yes, agreed.
