2011-02-07, 11:23 PM
I'm creating a site where users need to log in to perform certain actions, and have 2 issues I need to solve before I can continue:
1) How should I handle the password client-side? I know not to store it plain-text server side, my problem comes from transmitting it over a non-https connection. Should I really care though?
2) How should I go about storing a persistent login, like MyBB's "remember me" option, in a cookie? Storing the password is dumb, but I need some way to validate a user after a period of time has passed. Should I store the server-side representation?
Note that I can't just copy how MyBB does it, as MyBB is under the GPL and I refuse to release anything under it, and would rather avoid it altogether.
I'm working in PHP, and while I think security is important, I don't know how much is important and how much is overkill as I've never needed to write a script like this before (MyBB's always handled the login and registration stuff for me).
Thank you for your help!
1) How should I handle the password client-side? I know not to store it plain-text server side, my problem comes from transmitting it over a non-https connection. Should I really care though?
2) How should I go about storing a persistent login, like MyBB's "remember me" option, in a cookie? Storing the password is dumb, but I need some way to validate a user after a period of time has passed. Should I store the server-side representation?
Note that I can't just copy how MyBB does it, as MyBB is under the GPL and I refuse to release anything under it, and would rather avoid it altogether.
I'm working in PHP, and while I think security is important, I don't know how much is important and how much is overkill as I've never needed to write a script like this before (MyBB's always handled the login and registration stuff for me).
Thank you for your help!