1. 技术文章
  2. How to encrypt password before post from login form?

How to encrypt password before post from login form?

一世执手 提交于 2020-03-05 09:34:26

问题


I have a Login form in yii which required username and password. My problem is that password is plain text so it may cause security issue. For this i have md5 password before submitting form via ajax

<div class="form">
<?php $form=$this->beginWidget('CActiveForm', array(
    'id'=>'login-form',
    'enableAjaxValidation'=>true,
)); ?>

    <p class="note">Fields with <span class="required">*</span> are required.</p>

    <div class="row">
        <?php echo $form->labelEx($model,'username'); ?>
        <?php echo $form->textField($model,'username'); ?>
        <?php echo $form->error($model,'username'); ?>
    </div>

    <div class="row">
        <?php echo $form->labelEx($model,'password'); ?>
        <?php echo $form->passwordField($model,'password'); ?>
        <?php echo $form->error($model,'password'); ?>
        <p class="hint">
            Hint: You may login with <tt>demo/demo</tt>.
        </p>
    </div>

    <div class="row rememberMe">
        <?php echo $form->checkBox($model,'rememberMe'); ?>
        <?php echo $form->label($model,'rememberMe'); ?>
        <?php echo $form->error($model,'rememberMe'); ?>
    </div>

    <div class="row submit">
        <?php echo CHtml::submitButton('Login',array('id'=>'submit')); ?>
    </div>

<?php $this->endWidget(); ?>
</div><!-- form -->
<script>
$("#submit").click(function(){    

var password = $("#LoginForm_password").val();

$.ajax({
        type: 'POST', 
        url: '<?php echo Yii;;app()->createUrl("user/encrptpassword")?>',      
        data: {'password': password},         
        success:function(data){
         $("#LoginForm_password").val(data);
       }
    }); 

</script>



public function actionEncrptpassword(){

echo md5($_POST['password']);

}

But this is also not safe as ajax post data is also visible on inspecting.

Please let me know how can i encrpt my password before submit form


回答1:


Use SSL, that's the whole point of it. http://clouldflare.com gives free SSL for any domain.




回答2:


Take a look at GPG. You generate a pair of keys: public and private.

  1. You use public key to encrypt user's password with javascript on client-side: https://github.com/openpgpjs/openpgpjs

  2. Then you should use your private key to decrypt message on server-side: http://php.net/manual/ru/book.gnupg.php

Notice: client-side library depends on a user's browser and can be buggy. Use it if you can control this.

To avoid Replay attack you can use a random token and store it in user's session. You display it on login form, grab it for hashing on client-side and use it for validation on server-side from user's session. This and other options are described on wiki page.



来源:https://stackoverflow.com/questions/40798145/how-to-encrypt-password-before-post-from-login-form

标签
php
ajax
forms
Yii
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!