I know the answer to a secure site is SSL, but what if you are on a shared
host, SSL is unavailable and you still want some sort of security?
This is what I came by and I would appreciate any advice as to possible
security holes in it. There is a big hole I know, which is the screen to
change the password, I find no way to secure that one. But lets go to what
I do have.
I found at http://pajhome.org.uk/crypt/md5/md5src.html a Javascript version
of the MD5 algorithm.
I checked it against the PHP md5() function:
<html><head><title>MD5 test</title>
<script language="JavaScript" src="includes/md5.js"></script>
<script>
function enOnLoad() {
document.getElementById('prueba').innerHTML = md5_vm_test(); //test
provided by the library
<?php
$valor = rand();
?>
document.getElementById('p2').innerHTML = hex_md5('<?=$valor?>');
}
</script>
</head><body onLoad="enOnLoad();">
<div id=prueba></div>
<div id=p2></div>
<div><?=md5($valor)?></div>
</body></html>
And the results of the Javascript and the PHP md5() functions are the same
(the JS source has a couple of parameters to play with, but the defaults
proved good enough)
So, my idea is that in the login script, PHP will send a random number along
with the login form. That random might actually be the session_id() but if
not, the random value sent has to be stored in a session variable. (I really
don't see any reason not to use the session_id()).
On clicking on submit to send the login form, the password field would be
replaced by the result of
a) calculate the MD5() of the password, trimmed of whitespace. This should
be the same value stored in the user table of the database.
b) concatenate this value with the random number (or session_id()) provided
by the server.
c) calculate the MD5() of this
d) replace it into the original password field and let the submit proceed.
On the server side, when the login data is received:
a) retrieve the password field from the user table on the database. This
should actually be the MD5-encripted of the actual password.
b) concatenate this value with the session_id() or whatever random you
generated before
c) calculate the MD5() of this
d) compare with received value. If they match, they come from the same
password.
Would it work?
Satyam
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
