I know it’s a bad idea but I need to do this. I’m about 8 weeks away from getting a new server where I can have a working SSL’d application. So for the next 8 weeks I need to make it hard for someone to eavesdrop my app.
One idea I had was, as the user entered their email address and password and clicks login, I write to the database a very unique and random password (maybe timestamp + ipaddress) to a column ‘latestAttempt’, next to their login details. When the request reaches the login script page, it checks to see if that IP address has tried to make a login in the last 1 minute. This should at least prove that the login details came from the login page.
I know I can’t stop it but I would like to make it difficult. Are there any other methods out there that could temporarily put off eavesdroppers, while I wait for my new server with SSL?
UPDATE
I understand why this proposal wouldn’t work, I’m not sure why it even came to my head to be honest, it’s a load of rubbish!
Your proposed solution won’t help. The purpose of SSL is to prevent eavesdropping on the password as it is sent over the wire from the browser to your server, and no amount of timestamps/checking repeat logins will help stop that.
In the absense of SSL, there’s not much you can do that is really secure, in the truest sense of the word. What might help in at least a small way is to use javascript to scramble the password before posting it to your server. Even better if you can find a javascript library that implements a real encryption algorithm, preferrably using public/private keys since the the encryption method will be public.