"Jan grafström" <[EMAIL PROTECTED]> wrote in message
> I have made a file wich start a session and set a session variable if user
> and pass are verifyed.
> Than I use the session variable to protect all other userfiles.
> To run the file I enter:
> http://myserver.com/start.php3?user=xxxxx&pass=yyyyyy
> What is the differans using SSL and enter the same url?
> If a hacker sniff the ssl-string can he send that string and start the
> anyway?

SSL connections are inherently encrypted. The encryption is done in such a
manner that makes a 'record/playback' attack impossible, as the key used to
encrypt things with changes. I don't recall the exact specifics right
off-hand but any good resource on SSL will explain it.

SSL is completely encrypted, right down to everything sent over the wire. If
someone was sniffing they'd just see a bunch of random garbage that would do
them very little use.

However, displaying the username and password as part of the URL (GET
method) is a security risk in the sense that many browsers will keep it in
their history and thus someone with access to the history can determine
their username/password. POST would really be a better method to use here in
this case.

-- Daniel Grace

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to