In our JSP form , we are accepting user name and passwords & we submit the form using POST method to a servlet. How safe is this? Is their any way someone can use a sniffer and get this password? What is the right way to accept usernames & passwords?

Kevin Dorff

What I do is this: On the user's form I have two visible form inputs, username and password, and two hidden form inputs, sessionid and response. Initially I set sessionid to the request session id (request.getSession(true).getID()).

When the user requests to submit the form I run a Javascript function that does the following

  • Save the password to a local variable
  • Erase the password or replace it with some number of "x"'s
  • Concatenate together the username, the specified password, and the session id
  • Fill in the hidden form variable with the MD5 hash of the string I created in the previous step
  • Post the form
Now, the form will return posted to the server. On the server I create a hash from the same pieces (the username comes from the posted form, use the server's copy of the session id, and the password comes from the database) and compare the hash created on the server with the hash sent by the browser.

The Javascript MD5 hash function seems to be readily available and the Java class to do to same seems to be readily available although I have modified the Java class, adding a static function that takes a String and returns a String (simplifying the coding a touch).

If you need a copy of the Javascript function or Java class feel free to email me at kdorff@kcp.com.