"Jan grafström" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I have made a file wich start a session and set a session variable if user > and pass are verifyed. > Than I use the session variable to protect all other userfiles. > > > To run the file I enter: > http://myserver.com/start.php3?user=xxxxx&pass=yyyyyy > > What is the differans using SSL and enter the same url? > If a hacker sniff the ssl-string can he send that string and start the file > anyway?
SSL connections are inherently encrypted. The encryption is done in such a manner that makes a 'record/playback' attack impossible, as the key used to encrypt things with changes. I don't recall the exact specifics right off-hand but any good resource on SSL will explain it. SSL is completely encrypted, right down to everything sent over the wire. If someone was sniffing they'd just see a bunch of random garbage that would do them very little use. However, displaying the username and password as part of the URL (GET method) is a security risk in the sense that many browsers will keep it in their history and thus someone with access to the history can determine their username/password. POST would really be a better method to use here in this case. -- Daniel Grace -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
