skip to Main Content

My app uses a login/register system which encrypts password using BCrypt. When a users registers the password is encrypted using BCrypt and then stored in the mysql database. However when a user logins I want the password to be encrypted too for security reasons. I could encrypt the password before putting it in the login url, but you can compare 2 hashes so that isn’t going to work.

How can I encrypt the password in the login request (url) too?

I didn’t explain my question very well, so I will try to explain it in more detail. In the app I have a script that send an url request, for example site/login.php?username=name&password=password
When I look back my visitors logs on my cpanel I can read the &password field, so I know the password of my users. That’s the thing I want to prevent, I want to make it so that even I can’t see the users password anywhere

2

Answers


  1. I think you are doing something wrong here by using the “GET” method in your login form instead of the “POST”

    From w3schools :

    Never use GET to send sensitive data! (will be visible in the URL)

    When you’re sending the login details to a php page that will check the credentials, if your form uses the POST method, the password will not appear in the url.

    EDIT : Taking into account what was said in the comments, though it looks more secure and is recommended by W3 (see Touheed Khan’s answer), POST isn’t more secure than GET and, as RiggsFolly said :

    HTTPS is the only sensible secure mechanism

    Login or Signup to reply.
  2. Send the password over a HTTPS connection and as a POST, not in the URL.

    Using HTTPS will encrypt everything except the address portion of the URL.

    The reason for using POST even when using HTTPS is because many servers log the URLs and that would usually include the password. Obviously having the password in the server log is a security failure.

    Don’t hash the password prior to sending to the server, that just makes the hash the password.

    Using BCrypt on the server to hash the password for storage is a secure method as is password_hash and password_verify, both common for PHP.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search