As far as I can tell, best practices of password handling for Yii do currently suggest that it is crypted on server-side before saving into DB. So a password is transferred from a browser to a server in almost readable form. In past (before Yii) I made login/registration forms which do not send password in plain text, but rather md5 (or better hashed) it before sending.
The question: does Yii support something similar from the shelf or should I implement the same logic manually?
Oh well, if you pass the hash of a password over the wire, you’re still passing a secret in “readable” form. Your best bet would be to use SSL.
You can do the same with Yii - it’s PHP too 
Generate a random key as salt before rendering the form and save it to the users session. The salt will have another value on each login.
Render the form with the salt in a hidden tag (input, span…) so that it’s readable by javascript (getElementbyId)
Send the hashed password - generated by javascript: md5(salt+password) - or md5(salt+md5(password)) if you save the md5-pw in the db - instead of the clear text pw.
at the server you verify the password of the found user from the db with the submitted hashed pw and the salt from session
delete the salt session value.
Hi,
check also
http://www.yiiframework.com/wiki/425/use-crypt-for-password-storage/
http://www.yiiframework.com/wiki/283/secure-password-hash-storage-and-a-yii-helper-extension/
I think there’s a bit of confusion here. Stan doesn’t want to store the password in a save manner but rather transmit it obfuscated in some way.
Perfect chance to state once again that SSL is fit for the job 