| JavaScript doesn't implement any kind of one-way hashing. But that's for a 
| good reason: suppose JavaScript encoded your password and sent it encoded to 
| the server. The in-between hacker would retrieve the encoded password as it 
| is sent to the server and simply pass that as the password - he doesn't ever 
| need to know your undencoded password to break in, since the server expects 
| it to be encoded anyway!

and what about those guys who visit your site, download your page with the 
javascript encoder in the source HTML, and finds out how a crypted password
can be decrypted?

I 'm not aware of how the javascript source can be hidden.

| So you're only left with SSL for proper security...

Yes. SSL must be developed for reasons of this kind.

| HTTP_AUTH is just another way of sending the unsername and password as plain 
| text -- it's just more comfortable to use than checking if you have proper 
| credeintials in every page. My personal recommendation is to forget about 
| HTTP_AUTH and use SSL plus phplib for proper security.

Yes, agreed.

Reply via email to