JavaScript-About encrypting PHP back-end decryption with Crypto-js AES? Seeking for explanation by combing

Read about the encrypted login related content, there is no certificate is not HTTPS landing is not safe, the value of post can be seen all.
Find some information about JS encryption PHP decryption data, but still not very clear,
Presumably the idea is to send a request to the background through the foreground to obtain a key, and then the foreground to encrypt, to the backend decryption.
(No certificate is just a simple JS encryption)
Problem
1. Is there a security risk when requesting a key from the front desk, whether it is a cookie or a session
2. Many of the concepts are not clear enough to ask questions, but hope the great God can help comb it.

Http://skysbird.duichenmei.com/?p=306 saw a bit of this code, the idea is clear some.

I also searched the internet for these two pieces of code.
------JavaScript

PHP------

$text = "Message";$key = md5($text);  //key的长度必须16，32位,这里直接MD5一个长度为32位的key$iv='1234567812345678';$crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $text, MCRYPT_MODE_CBC, $iv);$decode = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $crypttext, MCRYPT_MODE_CBC, $iv);echo base64_encode($crypttext);echo "
";echo $decode;echo "
";

If the corresponding, JS encrypted to PHP value is equal to $crypttext, but Mcrypt_decrypt (mcrypt_rijndael_128, $key, $crypttext, MCRYPT_MODE_CBC, $ IV); The $key is the $text of MD5. It's not clean.
For a simple and detailed explanation.

Reply content:

Read about the encrypted login related content, there is no certificate is not HTTPS landing is not safe, the value of post can be seen all.
Find some information about JS encryption PHP decryption data, but still not very clear,
Presumably the idea is to send a request to the background through the foreground to obtain a key, and then the foreground to encrypt, to the backend decryption.
(No certificate is just a simple JS encryption)
Problem
1. Is there a security risk when requesting a key from the front desk, whether it is a cookie or a session
2. Many of the concepts are not clear enough to ask questions, but hope the great God can help comb it.

Http://skysbird.duichenmei.com/?p=306 saw a bit of this code, the idea is clear some.

I also searched the internet for these two pieces of code.
------JavaScript

PHP------

$text = "Message";$key = md5($text);  //key的长度必须16，32位,这里直接MD5一个长度为32位的key$iv='1234567812345678';$crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $text, MCRYPT_MODE_CBC, $iv);$decode = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $crypttext, MCRYPT_MODE_CBC, $iv);echo base64_encode($crypttext);echo "
";echo $decode;echo "
";

If the corresponding, JS encrypted to PHP value is equal to $crypttext, but Mcrypt_decrypt (mcrypt_rijndael_128, $key, $crypttext, MCRYPT_MODE_CBC, $ IV); The $key is the $text of MD5. It's not clean.
For a simple and detailed explanation.

1. Right. Encryption is a hidden hazard when the key is propagated through plaintext. There are also more frightening examples, which have confirmed that Chinese operators have directly changed the JS function used for encryption.
2. In JS and PHP, the same key generation rule is used here: Customize one and String then use its MD5 value to do the AES key. This avoids issues such as the completion of key lengths.

