As my webserver doesn’t allow use of the PHP_AUTH_USER and PHP_AUTH_PW keywords because of CGI (Col. Shrapnel in ‘PHP_AUTH_USER not set?’) I’m examining some other ways to send a user’s password to the server.
Sending the password as plaintext using POST is a no go: capturing packets and looking at the header reveals the password.
So I could hash the password first. But someone intercepting the packet and copying the hash and username could still login using this information, right?
Making the hash dynamic by using a timestamp could prevent copying the hash. Sending the password as (timestamp + hash(password+timestamp)) (Last.FM uses something like this). The server could then subtract the timestamp (check if it’s not expired or something), and hash the known password with it and check if they are the same. But then the password has to be known by the server, so the question remains:
how to get this password safely to the server upon registering?
Then, there’s https, requiring a SSL certificate, which is not available for me (not worth the money (yet?)).
Any thoughts?
p.s. In the end I want to authenticate an Android app against my webserver
If security really is so important to you, I’d really go for something like HTTPS. If it’s not available to you, maybe switch webhost or whatever is your limitation? If money is the problem, there were some suggestions in the question comments (free ones, self-signed, etc).
This hashing with timestamp and such is pretty much only going to end up as security through obscurity (related question).
I’m not a security expert though. All I know is that security is very very hard, and the ones who want to break in are usually smarter than me. So I try to keep things simple and use common well-tested solutions instead of trying to come up with my own “clever” thing.