lundi 1 décembre 2014

Techniques to make a login page safe without using SSL



I am developing a web page where people can write and comment things (no personal informations required) and I need to put a log in form so users can see all their actions on my web page. My idea is to program a log in form without SSL and also allow people to log in with Facebook if they prefer. The page will load completely only if JavaScript is enabled.




  1. My first problem is making sure that nobody can steal the user credential by acting like a man in the middle. I thought of solving it with a first hashing on client side with JavaScript and then on the server side, if I receive hashed values(in case someone deletes some JavaScript), a second hashing and store those hashed values in the user database. Is it a safe way to implement it? Also, are there any chances that some data get lost? If so how can I know if the received data is not compromised?




  2. Protect from dictionary and brute force attacks. I would solve it by counting the number of failed log in attempts associated to that user account and if it is more than 8-10 in row show a CAPTCHA at each of the next log in and also implement a time delay between successive log in attempts. I think in this way IP changes are not going to be a problem because I am counting the number of failed log ins on the server side (I would set a user variable in PHP).




  3. The Log In form. I implemented it in this way (without the hashing for now):


    <input id="username" name="userName" placeholder="Username" type="text"> <input id="password" name="pass" placeholder="Password" type="password">


    But when the form is sent on the URL I can read the password like: /LogIn.php?userName=user&pass=pass How can I hide the password?




What could be other good advices, to achieve as much security as I can without using SSL?





Aucun commentaire:

Enregistrer un commentaire