siramthar
Posts: 5
|
| Posted: 10/05/2011, 10:13 AM |
|
Hi
How can I define in CCStudio that the login page has to encrypt the password before sending it to the database for comparisson(or on the change password, to send the new encrypted password)? For example in PHP, you would use the crypt($string) function. Where should I define that?
And is the syntax something like crypt({password}) ?
Thanks!
|
 |
 |
datadoit
|
| Posted: 10/05/2011, 10:23 AM |
|
You can encrypt it all you want after the server-side PHP script gets a
hold of it and does a comparison against the database. However, it
still passes from the end user's browser to the server unencrypted,
unless you're running via HTTPS (SSL). You could do some encrypting via
javascript, but anyone with a lick of sense can look at that code.
Run your web application via SSL encryption.
|
|
|
|
datadoit
|
| Posted: 10/05/2011, 10:27 AM |
|
Also note that if you set your Project Settings up to use password
encryption, then CCS will handle the magic for you. See the Security
section under your Project Settings. We typically go the database MD5
route.
This doesn't exclude the need to encrypt the data transfer of that
password from the client to the server (SSL). Anyone snooping your
connection will see in clear text (ie: plain as day) what that password
is, before it's encrypted at the server.
|
|
|
|
E43509
Posts: 283
|
| Posted: 10/05/2011, 11:59 AM |
|
consider using CCS built in encrypt password functionality. For more details please refer to CCS Help article User's Guide -> Working with projects -> Implementing Password Encryption.
|
|
|
|
siramthar
Posts: 5
|
| Posted: 10/05/2011, 12:26 PM |
|
Thank you very much!
I was looking for the syntax there, the md5({password}) one, or in my case crypt({password}) (for PHP).
Thanks for the info about taking into account that the code is encrypted in the server prior to passing the info to the db, and that before it could be sniffed if not using a ssh connection.
Best!
|
|
|
|
|
