PHP Security-Password sniffing

Password sniffing

Although attackers are not specifically used for access control by sniffing (viewing) network traffic between your users and applications, be aware that data exposure becomes increasingly important, especially for authentication information.

Using SSL is an effective way to prevent HTTP requests and responses from being exposed. Requests for any resources that use the HTTPS scheme can prevent password sniffing. The best approach is to always use SSL to send authentication information, and you may want to use SSL to transfer all requests that contain the session ID to prevent session hijacking.

To prevent user authentication information from being exposed, use the HTTPS scheme in the URL of the form's Action property as follows:

CODE:   <form action= "https://example.org/login.php" method= "POST" >  <p>username: <input type= "Text" name= "username"/></p>  <p>password: <input type= "Password" name= "Password"/></p >  <p><input type= "Submit"/></p>  </form>

It is highly recommended to use the Post method in the validation form, because the validation information is less exposed than the Get method, regardless of whether you are using SSL or not.

Although this is done only to protect the user's authentication information from being exposed, you should also use SSL for the HTML form at the same time. This is not for technical reasons, but users will feel more comfortable entering authentication information when they see that the form is SSL protected (see Figure 7-1).

Figure 7-1. Most browsers display a lock icon when the current resource is protected by SSL

The above is the PHP security-password sniffer content, more relevant content please pay attention to topic.alibabacloud.com (www.php.cn)!

