2

I just want to understand what happens to the data when a user submits a login form to a PHP script on server?

Why we hash or encrypt the password on the server side script while the user submits it to the server via a form (I think it's client side script as HTML) in a plain text can be read by any hacker?

DevManX
  • 476
  • 3
  • 14
  • possible duplicate of [Must logins be a https page](http://stackoverflow.com/questions/4309199/must-logins-be-a-https-page) and [Secure hash and salt for PHP passwords](http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords) – Artjom B. Apr 03 '15 at 14:35
  • 1
    "Read by any hacker" is mostly a media exaggeration. Listening to someone's unencrypted internet traffic requires the cracker to connect at some point to your connection to the server, which is often not trivial. Approaches include offering free (malicious) wifi, listening to all traffic on public wifi (both easy), installing a hardware device at someone's office (getting harder), tapping into the public telecommunications network at a roadside routing box (harder still). – halfer Apr 03 '15 at 14:36
  • Passwords are just one (popular) authentication factor. But there are also others. – Gumbo Apr 03 '15 at 14:36

2 Answers2

2

what happens to the data when a user submits a login form to a PHP script on server?

The data travels over the internet from one computer to another. Nothing more, nothing less. What the server does with the submitted data is up to the server.

Why we hash or encrypt the password on the server side...

In order not to store the password in plain text where anybody can see it. A password is a secret that only the user should know and nobody else. Yes, it needs to travel to the server in plain form, this is more or less inevitable. But then the server should do everything in its power to not leave any trace of this plain form around.

...can be read by any hacker.

That's why every data submission should be secured by a SSL/TLS connection. Without that, it's indeed just plaintext on the wire. A properly set up TLS connection in a secure environment is practically unbreakable.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • If the attacker has access to the server, he/she still can read the securely transmitted data. Same applies to the other end of the connection. – Gumbo Apr 03 '15 at 14:38
  • That's why I ambiguously carefully worded it as "secure environment". There are still any number of ways in which data can be intercepted, absolutely. If either peer is compromised, all bets are off. – deceze Apr 03 '15 at 14:39
  • @deceze Simple but informative and in the point explanation. Now I understand the process. Thank you so much. – DevManX Apr 04 '15 at 04:43
0

You are right, there can be a MITM (Man In The Middle) attack and the hacker can eventually read your password. That's why the use of HTTPS (everywhere) is preferable to secure your form submission.

Some references that can help you:

URIs, Addressability, and the use of HTTP GET and POST

All you want to know about HTTPS

Community
  • 1
  • 1
Akram Fares
  • 1,653
  • 2
  • 17
  • 32