in reply to cgi and https (mildly off topic)
HTTPS provides SSL layer for data transfers between server and client. SSL itself prevents third party from sniffing this network traffic and can give client guarantee that server haven't been substituted by another by "cracker". However it doesn't provides authorization of client.
HTTP authorization with .htaccess and .htpasswd can be used for authorization of clients. It is based on protocol which passes password and username as clear text (well, not clear text but something which can be easily decoded). So without additional layer of enryption (like SSL) it is easy target for sniffer attacks.
Please note that HTTP authorization is not the only way to do client authorization (but propably simpliest to setup since it doesn't require any coding). It is common to use cookies for this task for example (like Perlmonks website does).
What you need is probably both SSL and some method of client authorization (for example - HTTP authorization).
As for using javascript in the webpages to encrypt the password. Well, since you have not gave any details about it I can't say that it is insecure. But unless you use some kind of asymmetric cryptography it will be always subject of sniffer attacks. Do you?
|
|---|