posted 20 years ago
HTTPS negotiates a secure (encrypted) channel between the client and the server before any data is sent, so the username and password are encrypted when being sent to the server even if the secure connection is negotiated after you press the 'login' button.
A couple of side points to make though:
* You have to POST the data, if you use the GET method to send the username and password they aren't secure.
* Also, never ever send the password back to the client. Not to pre-populate a password field, not as a password reminder, not in a registration page, not even if the page is encrypted, never, not ever.
* If you want to encrypt your site, you'll need a signed certificate. You can buy an official one for production sites, or you can create your own self-signed certificate if you are just playing around.
Dave