Login Without Https, How to Secure

Login form without ssl

No it's not ok.

If your users reuse the same password, then it may compromise more important accounts

Because it's insecure, Firefox warns in the console log that it's not secure.

If you want a login in your front page, why not just using https everywhere? It's easier to configure, and faster (with spdy/http2) than http, and you are sure that nobody insert ads in your website (some ISP do than on http...)

And, a login/password is a personal information. In most country, like in Europe, you have an obligation of protection.

About the New York Times, yes, they do use http, but it's harder for a big website to migrate. But yes, they should use https.

Note that https alone is not sufficient: Your website may still be vulnerable to sslstrip attacks. When asking for passwords or personal information, you should use HSTS, the only protection against that attack. (It will force the https connection, but for that you must activate https for the whole domain)

Creating a secure login script in PHP and MySQL without HTTPS

Although you could create a login system yourself, it is strongly recommended to let external parties do it for you.

It takes a lot of experience to get it right, and it is so often done wrong.

Although the tutorial looks okay to me, there are just so many factors that to consider, and it also seems to be semi-old. PHP 5.5 offers password_hash and password_verify, which I would recommend over what your page suggests.

So if you have to make your own system; consider making use of the above-mentioned functions, if you're restricted to lower php versions, there are backports up to version 5.3.7 available.

If you don't have to make your own system, make use of external parties (Google, Facebook) to handle the logging in for you, or make use of a framework that has authentication support.

So in the general gist of it: Don't try to do it yourself, make use of what other people offer which years of experience in it. As it is incredibly difficult to get it right.

Secure Authentication without SSL

You send the t-salt and the hashing algorythm. It wouldn't take long to calculate the password inside the hash.

You should reconsider SSL in my opinion.

Secure Login credential without using SSL

There are a number of authentication schemes which can work securely over plain HTTP. The most common of these is Digest, which is supported by all major web browsers and virtually every web programming framework.

The down-side of using Digest for web sites is that:

  • The authentication is handled by the browser itself rather than a login page on the web site, which doesn't look nearly as nice, and doesn't allow you to have all the surrounding helper functions like "forgot your password?" that we've come to expect nowadays.

  • If you have no SSL connection, savvy users may feel worried that they are sending their password insecurely (even though they aren't) because they've been trained to look for an SSL connection when entering credentials.

There are other schemes such as OAuth which also are safe over plain HTTP, but that is really more for APIs than web sites, so probably isn't what you want.

HTTPS only for the login page - Is it recommended?

Having https only on the login page is insecure:

  • It means you don't use HSTS, which is the only protection against SSLSrip
  • It means an attacker can replace on your http pages your link to the login page by something else (like a popin that submit credentials to his server)
  • Once the user is connected, the cookie must have the secure attribute (it's really easy to steal cookies without. see firesheep)

The only secure way is to use https in all pages of your domain, use HSTS and redirect all http requests to https.

Can this approach compromise user's login credentials? Having all other pages on http - can an attacker get access to the credentials from the user session cookies?

An attacker can steal the session cookie, so he probably can do a lot of harm (depending of your security measures, change the password, the email, extract personnal data...) and he can simulate disconnection and ask again for passwords on http webpages.

I could see many sites having this approach so I think it might be safe

No, it's not. They probably have website too big to turn on https everywhere, so they did what they could to limit damages. (Or they are just lazy)


Related Topics

Access Controller Method from Another Controller in Laravel 5

Scrape Web Page Contents

Explode String into Array With No Empty Elements

How to Remove Extension from String (Only Real Extension!)

Pdo Error: " Sqlstate[Hy000]: General Error " When Updating Database

How to Convert Many Statement MySQL to Laravel Eloquent

Calculate Age Based on Date of Birth

Ip Address of the Machine in PHP Gives ::1 But Why

Fatal Error: Call to Undefined Function MySQLi_Result()

Show a Pdf Files in Users Browser Via PHP/Perl

How to Import a .SQL File in MySQL Database Using PHP

How to Access PHP With the Command Line on Windows

PHP Header Redirect Not Working

How to Get Enum Possible Values in a MySQL Database

Set Cookie Wih Js, Read With PHP Problem

Restructure Multidimensional Array of Column Data into Multidimensional Array of Row Data

Storing and Displaying Unicode String (हिन्दी) Using PHP and MySQL

PHP Fatal Error: Class 'Pdo' Not Found


Leave a reply



Submit