ErergeVoppy
New Member
I'm creating an application similar to phpmyadmin (database management UI). The user needs to authenticate himself against the database and the application needs to store the credentials somehow. SSL is not an option for all installs.
Idea 2: Problem with man-in-the-middle attack. (Key + credentials are sent)Any other suggestions? Criticism?
- Idea 1: User sends credentials, application stores username and encrypts password using predefined blowfish secret key (config.ini.php) - This is what phpMyAdmin does.
- Idea 2: Login form creates random blowfish secret (javascript), user sends login credentials, application encrypts user/password and stores them server-side in the session, secret key is stored into cookie and sent for every request.
Idea 2: Problem with man-in-the-middle attack. (Key + credentials are sent)Any other suggestions? Criticism?