Re: how to properly secure non-ssl logins (php + ajax)

2009-02-20 Thread Peter Gutmann
Rene Veerman rene7...@gmail.com writes: Recently, on both the jQuery(.com) and PHP mailinglists, a question has arisen on how to properly secure a login form for a non-ssl web-application. But the replies have been get ssl.. :( I disagree, and think that with a proper layout of authentication

Re: how to properly secure non-ssl logins (php + ajax)

2009-02-20 Thread Alexander Klimov
On Sun, 15 Feb 2009, Rene Veerman wrote: Recently, on both the jQuery(.com) and PHP mailinglists, a question has arisen on how to properly secure a login form for a non-ssl web-application. But the replies have been get ssl.. :( Unfortunately, they are right: get SSL. If you have a

Re: how to properly secure non-ssl logins (php + ajax)

2009-02-20 Thread Erwan Legrand
Hi, Recently, on both the jQuery(.com) and PHP mailinglists, a question has arisen on how to properly secure a login form for a non-ssl web-application. But the replies have been get ssl.. :( What makes you think these are ill-advised? I disagree, and think that with a proper layout of

Re: how to properly secure non-ssl logins (php + ajax)

2009-02-20 Thread Ivan Krstić
On Feb 15, 2009, at 7:30 AM, Rene Veerman wrote: Recently, on both the jQuery(.com) and PHP mailinglists, a question has arisen on how to properly secure a login form for a non-ssl web- application. What's the threat model? users[user_id].user_login_hash = onewayHash(user_login_name +

how to properly secure non-ssl logins (php + ajax)

2009-02-16 Thread Rene Veerman
Hi. Recently, on both the jQuery(.com) and PHP mailinglists, a question has arisen on how to properly secure a login form for a non-ssl web-application. But the replies have been get ssl.. :( I disagree, and think that with a proper layout of authentication architecture, one can really