I have a site with the usual username/password login hooked to a MySQL backend. What's the best way to handle signup (sending the username/password) and logging in (same)? In particular, can you avoid using a POST and sending text parameters?
In general, dont ever send passwords over an unencrypted channel. People reuse passwords. The credentials they are using for your site could be the same for their bank.
Oh, and make sure to hash the passwords in your database. BCrypt is good for this task. Best not to try rolling your own methods (as has been pointed out here on YC news before).
http://pdos.csail.mit.edu/papers/webauth:tr.pdf
In general, dont ever send passwords over an unencrypted channel. People reuse passwords. The credentials they are using for your site could be the same for their bank.
Oh, and make sure to hash the passwords in your database. BCrypt is good for this task. Best not to try rolling your own methods (as has been pointed out here on YC news before).