Posted by Toby Inkster on 12/23/90 11:28

David Dorward wrote:

> So stay in HTTPS for the entire time the user is logged in if you want to
> keep the user's credentials (and the data they send and recieve while
> logged in) secure.

Not necessarily -- you could do something like this:

https://example.org/login-screen.html

<form action="login.php" method="POST">
<div>
<label>user: <input name="username"></label><br>
<label>pass: <input name="password" type="password"></label>
</div>
</form>

https://example.org/login.php

<?php
$mysecret = 'XhT6fg7P';
$u = $_POST['username'];
$p = $_POST['password'];
$real = getPasswordFromDatabase($u);
if ($real==$p)
{
$auth = md5($mysecret.$p);
setcookie('username', $u);
setcookie('auth', $auth);
header("Location: http://example.org/secure-content.php");
}
else
header("Location: https://example.org/login-screen.html");
?>

http://example.org/secure-content.php

<?php
$mysecret = 'XhT6fg7P';
$u = $_COOKIE['username'];
$a = $_COOKIE['auth'];
$p = getPasswordFromDatabase($u);
$real = md5($mysecret.$p);
if ($real==$a)
{
print "Secure content.\n";
}
else
header("Location: https://example.org/login-screen.html");
?>

Note: secure-content.php is served over plain HTTP; it's protected by
password; and the password is never passed in plain text.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

[Back to original message]