A
Anonymous
Guest
Case 1: New User Registration
Case 2: Existing User Login
In either case is the User Password encrypted on the Client Side or the Server Side?
Somehow I thought it was encrypted on the client side BUT after discovering the PHP API/Functions...
- password_hash()
- password_verify()
I read this online...
"Remember that you store the hashes in a database, but it’s the plain password that you get when a user logs in.
The password_verify() function takes a plain password and the hashed string as its two arguments. It returns true if the hash matches the specified password."
So, is it correct that no encryption occurs on the client side?
And that the process is. sort of like the steps below...
New User Account Creation:
1 - New User fills out registration form
2 - that data is sent un-encrypted to the server
3 - the password is then encrypted/hashed via password_hash()
4 - and then stored (encrypted) with the username in the username_password table
Existing User Login:
1 - Existing user goes to log-in page and enters username and password
2 - that data is sent un-encrypted to the server
3 - password_verify() then takes the un-encrypted password and compares it to the hashed password in the table
4 - and returns 'true' if they match
5 - and you go on from here...
Thanks for any help.
Case 2: Existing User Login
In either case is the User Password encrypted on the Client Side or the Server Side?
Somehow I thought it was encrypted on the client side BUT after discovering the PHP API/Functions...
- password_hash()
- password_verify()
I read this online...
"Remember that you store the hashes in a database, but it’s the plain password that you get when a user logs in.
The password_verify() function takes a plain password and the hashed string as its two arguments. It returns true if the hash matches the specified password."
So, is it correct that no encryption occurs on the client side?
And that the process is. sort of like the steps below...
New User Account Creation:
1 - New User fills out registration form
2 - that data is sent un-encrypted to the server
3 - the password is then encrypted/hashed via password_hash()
4 - and then stored (encrypted) with the username in the username_password table
Existing User Login:
1 - Existing user goes to log-in page and enters username and password
2 - that data is sent un-encrypted to the server
3 - password_verify() then takes the un-encrypted password and compares it to the hashed password in the table
4 - and returns 'true' if they match
5 - and you go on from here...
Thanks for any help.
