Section 7.2. Password Sniffing


7.2. Password Sniffing

Although not specific to access control, when an attacker can sniff (observe) traffic between your users and your application, being mindful of data exposure becomes increasingly important, particularly regarding authentication credentials.

Using SSL is an effective way to protect the contents of both HTTP requests and their corresponding responses from exposure. Any request for a resource that uses the https scheme is protected against password sniffing . It is a best practice to always use SSL for sending authentication credentials, and you might consider also using SSL for all requests that contain a session identifier because this helps protect your users against session hijacking.

To protect a user's authentication credentials from exposure, use an https scheme for the URL in the form's action attribute as follows:

     <form action="https://example.org/login.php" method="POST">     <p>Username: <input type="text" name="username" /></p>     <p>Password: <input type="password" name="password" /></p>     <p><input type="submit" /></p>     </form> 

Using the POST request method is highly recommended for authentication forms because the authentication credentials are less exposed than when using GET, regardless of whether SSL is being used.


Although this is all that is required to protect a user's authentication credentials from exposure, you should also protect the HTML form itself with SSL. There is no technical reason to do so, but users feel more comfortable providing authentication credentials when they see that the form is protected with SSL (see Figure 7-1).

Figure 7-1. Most browsers display a lock icon when the current resource is protected with SSL





Essential PHP Security
Essential PHP Security
ISBN: 059600656X
EAN: 2147483647
Year: 2005
Pages: 110

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net