1. Theory
On normal HTTP, passwords in general forms are sent to the server for processing in plaintext. This has undoubtedly given the bad guys an opportunity! Here we'll talk about how to transfer the password is safe!
Instead of transmitting the password itself, it is better to transmit its encrypted form. MD5 is a good choice. First, different resources are almost impossible to generate the same MD5 digest, and secondly, the MD5 encoding method is irreversible. With these features, we can let the MD5 digest be publicly transmitted over the Internet without worrying about passwords being known to the bad guys. The password is then encrypted in the same way on the server, and the two strings are compared at the end.
However, we cannot transfer the password directly over the Internet for the purpose of landing, because the bad guys will not know our password, but will certainly know that this special string can authorize them to visit our website MD5!
This is the key and the private key to solve the problem, first by the server to provide a random string, and then the client will add this random string and password after encryption!
Each time you log in, the server generates a different random string, so your password does not change, but the MD5 Digest, which is encrypted by the method above, is completely different. So even if the bad guys get these MD5 summaries, they won't be able to analyze your password!
In this method, the server provides a random string called the "public Key", the life is very short, and can be exploited by anyone; Your password is called "Private key", life is long, and will never be known.
2. Realize
Client-side JavaScript does not provide a ready-made MD5 algorithm, but we use the "MD5 JavaScript" search on Google to get a lot of examples of MD5 on JavaScript.
In PHP I don't have to say more, directly with MD5 () This function can be done! Random string We can use the session to store (PHP is strong AH ~ ~)
3. Attention
In JS, Chinese are UTF-8 format, so if your password is in Chinese, and the password stored on the server is GB2312, then the two password encrypted string is completely different!
http://www.bkjia.com/PHPjc/318472.html www.bkjia.com true http://www.bkjia.com/PHPjc/318472.html techarticle 1. Theory on normal HTTP, the passwords in the general form are sent to the server for processing in plaintext. This has undoubtedly given the bad guys an opportunity! Here we'll talk about how to transfer the secret ...