As far as I can tell, best practices of password handling for Yii do currently suggest that it is
crypted on server-side before saving into DB. So a password is transferred from a browser to a server in almost readable form. In past (before Yii) I made login/registration forms which do not send password in plain text, but rather md5 (or better hashed) it before sending.
The question: does Yii support something similar from the shelf or should I implement the same logic manually?
Oh well, if you pass the hash of a password over the wire, you’re still passing a secret in “readable” form. Your best bet would be to use SSL.
You can do the same with Yii - it’s PHP too
Generate a random key as salt before rendering the form and save it to the users session. The salt will have another value on each login.
at the server you verify the password of the found user from the db with the submitted hashed pw and the salt from session
delete the salt session value.
I think there’s a bit of confusion here. Stan doesn’t want to store the password in a save manner but rather transmit it obfuscated in some way.
Perfect chance to state once again that SSL is fit for the job