[development] Security and Drupal

jcisio jcisio at gmail.com
Sun Jan 9 09:01:44 UTC 2011


You can:
- Use SSL for login page. But I think the mixture of http/https
session is solved better in D7
- Use another login mechanism, like send directly md5 hash to the
server. This way your password is "safe" (don't correct me on this
word ;-) ). However, any attacker can capture your packets and replay
the login without any difficulty.

--
Hai-Nam Nguyen (aka jcisio)
http://jcisio.com



On Sun, Jan 9, 2011 at 9:36 AM, Austin Einter <austin.einter at gmail.com> wrote:
> Hi All
> I just made a site using Drupal6.2 and in front page I have kept "user
> login" block. I hosted this site using some third party web server.
>
> I tried to login to new site from my PC using my user name and password and
> prior to that I was capturing the packets those were being send/received by
> my PC.
> By checking few packets content I could figure out the user name and
> password in plain text.
>
> So it looks others can see these packets and get the administrative user
> name and corresponding password and hence can modify site content and it is
> really dangerous.
> I assume people must have thought of it and there should be some way to make
> sure username and password should be encrypted by default hence avoidimg
> third party role in site content modification.
>
> Please guide in this regard and provide some pointers how can I make
> username/password secure while logging in sites based on Drupal.
>
> Regards
> Austin
>
>


More information about the development mailing list