|
|
Posted by Kimmo Laine on 11/21/61 11:53
<veg_all@yahoo.com> wrote in message
news:1153372625.911948.306070@i3g2000cwc.googlegroups.com...
> As I read about security it seems that the only secure way to encrypt
> data is to not store the key anywhere on the server. So I have the user
> manually type it in and it gets stored as a persistent cookie on their
> machine.
>
> In other words, when the log in, they are prompted for the key . the
> key is then posted via a form to a php script which stores the key as a
> cookie. Is this secure? Is there any loophole in doing it this way?
Well there's always the possibility of packet sniffing
(http://en.wikipedia.org/wiki/Packet_sniffer) as long as you are using http.
If you can set up an https server, then you can talk about secure. All data
from client to server, including the encryption key is then already
encrypted and can't be revealed by capturing packets like when using http.
--
"ohjelmoija on organismi joka muuttaa kofeiinia koodiksi" -lpk
spam@outolempi.net | Gedoon-S @ IRCnet | rot13(xvzzb@bhgbyrzcv.arg)
Navigation:
[Reply to this message]
|