PHP Security - Password Sniffing

Password sniffing

Although attackers sniffing (watching) network communications between your users and applications are not specifically used for access control, it is becoming increasingly important to be aware of data exposure, especially for authentication information.

Using SSL can effectively prevent HTTP requests and responses from being exposed. Requests to any resource using the https scheme are protected against password sniffing. The best approach is to always use SSL to send authentication information. You may also want to use SSL to send all requests containing session IDs to prevent session hijacking.

In order to prevent user verification information from being exposed, use the https scheme in the URL of the action attribute of the form as follows:

CODE:
 
  <form action="https://example.org/login.php"
method="POST">
  <p>Username: <input type="text"
name="username" /></p>
  <p>Password: <input type="password"
name="password" /></p>
  <p><input type="submit"
/></p>
  </form>

It is highly recommended to use the POST method in the verification form, because whether you use SSL or not, doing so will expose less verification information than the GET method.

Although this is only done to protect the user's authentication information from being exposed, you should still use SSL for HTML forms. This is not done for technical reasons, but users will feel more comfortable entering verification information when they see that the form is protected by SSL (see Figure 7-1).

Figure 7-1. Most browsers will display a lock icon when the current resource is protected by SSL

The above is the content of PHP security-password sniffing. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!