Securest NON-SSL Mechanism for user login ?
This is a discussion on Securest NON-SSL Mechanism for user login ? within the PHP Language forums, part of the PHP Programming Forums category; Within the bounds of Javascript and pHP, what is the securest login mechanism anyone here has come up with. -- Spam:...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-11-2003
|
|||
|
|||
Securest NON-SSL Mechanism for user login ?
Within the bounds of Javascript and pHP, what is the securest login
mechanism anyone here has come up with. -- Spam:newsgroup(at)craznar.com@verisign-sux-klj.com EMail:<0110001100101110011000100111010101110010011 010110 11001010100000001100011011100100110000101111010011 011100 11000010111001000101110011000110110111101101101001 00000> 
|
|
10-11-2003
|
|||
|
|||
|
Re: Securest NON-SSL Mechanism for user login ?
Hello,
On 10/11/2003 02:05 PM, 127.0.0.1 wrote: > Within the bounds of Javascript and pHP, what is the securest login > mechanism anyone here has come up with. You may want to take a look at the example that comes with this class of a login form that encrypts a password with MD5 and stores it in a hidden field before the form is submitted. -- Regards, Manuel Lemos Free ready to use OOP components written in PHP http://www.phpclasses.org/
|
|
10-11-2003
|
|||
|
|||
|
Re: Securest NON-SSL Mechanism for user login ?
Hello,
On 10/11/2003 04:23 PM, Manuel Lemos wrote: > On 10/11/2003 02:05 PM, 127.0.0.1 wrote: > >> Within the bounds of Javascript and pHP, what is the securest login >> mechanism anyone here has come up with. > > > You may want to take a look at the example that comes with this class of > a login form that encrypts a password with MD5 and stores it in a hidden > field before the form is submitted. http://www.phpclasses.org/formsgeneration -- Regards, Manuel Lemos Free ready to use OOP components written in PHP http://www.phpclasses.org/
|
|
10-14-2003
|
|||
|
|||
|
Re: Securest NON-SSL Mechanism for user login ?
On Saturday 11 October 2003 12:05 pm, 127.0.0.1 wrote:
> Within the bounds of Javascript and pHP, what is the securest login > mechanism anyone here has come up with. > HMAC. Go read RFC 2104 for background (http://www.rfc-editor.org/rfc/rfc2104.txt) Next, google for an HMAC implementation in javascript. In the login form, send down a hidden form field with a random value (place the same value in the session). The user types in a username and password. The submit button fires off javascript that computes digest=HMAC( password, secret ) and submits SessionID, username, and digest. Back on the server side, grab the secret out of the session. Look up the user's password and compute the HMAC using using the server-side info you have. Then compare the digests. The neat part about this is that the digest changes every time, so you avoid replay attacks. The bad part is that somebody has to have cleartext access to the password. You could argue that you could just MD5 the pass and use that for HMAC. You'd be right of course, but at that point the MD5 becomes as good as having the actual password. You want to push the actual server side HMAC computation as far back as possible. If you're using a database that supports stored procedures, do it there. -- Don Faulkner, KB5WPM | (This space | "All that is gold does not glitter." unintentionally | "Not all those who wander are lost." left blank) | -- J.R.R. Tolkien
|
Linear Mode
