-3

I am very interested in php and login forms. However, I am still struggling what is safe to do and what not.

When a user logs in, I need to send the username and password via POST to a php.

  • At the moment I am hashing the password on the server with php function. The hashed password is stored in the database aswell.

  • I read you can hash it already with JS on client side? But what happens when js is not activated? I can't be sure that it is 100% correctly hashed.

  • Is it safe to send a plain password via post but with HTTPS?

Thanks for your input. I am happy to learn some new techniques to make it even safer.

davidev
  • 7,694
  • 5
  • 21
  • 56
  • 1
    As long as you send it via HTTPS, you're good. Even big sites do it without using any additional encryption of the password string. – Constantin Groß Oct 10 '19 at 10:16
  • 2
    Don't encrypt passwords. You should never store passwords in any form on the server. Only store secure hashes. – Dharman Oct 10 '19 at 10:17
  • Thank you @ConstantinGroß That is good to know. – davidev Oct 10 '19 at 10:17
  • 1
    Regarding storage of passwords, you should not rely on a standard hashing function like `sha1` (and especially not `md5`). Read up on "salting" passwords and/or use dedicated password hashing algorithms/libraries. – Constantin Groß Oct 10 '19 at 10:17
  • 2
    Don't encrypt passwords. [Hash them!](https://www.php.net/manual/en/function.password-hash.php) – Peter Oct 10 '19 at 10:18
  • Sorry I expressed myself wrong, I am using password_hash function in php. – davidev Oct 10 '19 at 10:20

1 Answers1

1

Yes you send a plain password via HTTPS to your server, and your server will hash it there and store the hashed password in a database.

You also might read about CSRF protection. In every post request you should integrate an CSRF protection.

In theorie a hacker could recreate your frontend website with a form. The user that visit his page will think its your page and he will try to register/login into your page. With no CSRF protection the user will be able to login and will be redirected to your site for example a Dashboard and the hacker could then save these information in his database.

bill.gates
  • 14,145
  • 3
  • 19
  • 47