As far as I can tell, best practices of password handling for Yii do currently suggest that it is crypted on server-side before saving into DB. So a password is transferred from a browser to a server in almost readable form. In past (before Yii) I made login/registration forms which do not send password in plain text, but rather md5 (or better hashed) it before sending.
The question: does Yii support something similar from the shelf or should I implement the same logic manually?
Generate a random key as salt before rendering the form and save it to the users session. The salt will have another value on each login.
Render the form with the salt in a hidden tag (input, span…) so that it’s readable by javascript (getElementbyId)
Send the hashed password - generated by javascript: md5(salt+password) - or md5(salt+md5(password)) if you save the md5-pw in the db - instead of the clear text pw.
at the server you verify the password of the found user from the db with the submitted hashed pw and the salt from session