Password Encription In Browser

As far as I can tell, best practices of password handling for Yii do currently suggest that it is crypted on server-side before saving into DB. So a password is transferred from a browser to a server in almost readable form. In past (before Yii) I made login/registration forms which do not send password in plain text, but rather md5 (or better hashed) it before sending.

The question: does Yii support something similar from the shelf or should I implement the same logic manually?

Oh well, if you pass the hash of a password over the wire, you’re still passing a secret in “readable” form. Your best bet would be to use SSL.

You can do the same with Yii - it’s PHP too :wink:

  • Generate a random key as salt before rendering the form and save it to the users session. The salt will have another value on each login.

  • Render the form with the salt in a hidden tag (input, span…) so that it’s readable by javascript (getElementbyId)

  • Send the hashed password - generated by javascript: md5(salt+password) - or md5(salt+md5(password)) if you save the md5-pw in the db - instead of the clear text pw.

  • at the server you verify the password of the found user from the db with the submitted hashed pw and the salt from session

  • delete the salt session value.

Hi,

check also

http://www.yiiframework.com/wiki/425/use-crypt-for-password-storage/

http://www.yiiframework.com/wiki/283/secure-password-hash-storage-and-a-yii-helper-extension/

I think there’s a bit of confusion here. Stan doesn’t want to store the password in a save manner but rather transmit it obfuscated in some way.

Perfect chance to state once again that SSL is fit for the job ;)