Passwords: Frontend And Backend

I implemented login with passwords stored in database.

I encrypted the passwords using crypt and a salt that’s stored in database so the stored passwords are sufficiently safe.

My current problem lies in the following:

When the user presses submit on the login-form, the entered username and password are sent to the server. The entered password is then compared to the encrypted password in the database in the method UserIdentity::authenticate(). I do not know however, in what state the entered password is sent to the server (probably not encrypted?)

  • How do I know which code is executed in browser, and which on the server? (frontend-backend)

I’ve read some articles about separating frontend and backend in an application, is it necessary/advised that I do this here? (If it is, could someone point me to a good approach to this?)

  • How can i see what gets sent from browser to server (and vice versa)?

Can I see the (encrypted?) password that gets sent to the server?

In yii you are pretty much free to implement the password authentication itself as you like.

If you are using https, then the password will be encrypted but you can still see it clear on the server (and in the navigator).

To see what the navigator sends to the server, use the navigator’s debug functions!

Yii requires (“suggests”) that you create an application dependent UserIdentity (extending CUserIdentity) and implements authenticate() method. Usually authentication use the $username and $password properties of CUserIdentity. ‘authenticate’ has to be called from the application (see the blog example (LoginForm)). Calling ‘authenticate’ does not log in the user, that is done in CWebUser - ‘login()’ of CWebUser has to be called with the UserIdentity as a parameter. CWebUser->login will login the user whether the password matches or not, so password verification is done elsewhere (in LoginForm by calling CUserIdentity->authenticate() ).

Basically, the browser just submits a form with the password in it.

Separating the frontend and the backend does not have to imply a separation of the passwords.