On 23/10/06, David Tulloh <david@xxxxxxxxxxxx> wrote:
Breaking this down you have a hardcoded password. In the script you store a hash of the password rather than the actual password.
Yes, no choice but to have the password in the file. I can't include() anything, and no mysql. So, only hashed would I dare keep it.
Upon first access you take a hash of the password and compare it against your stored hash. If it's a match you have an authentic user. The authentic user is then supplied with a cookie that contains a hashed version of your hash. On further logins you check the cookie information against a hashed version of your stored hash password. I think that this last step is really very flawed. You gain nothing against people finding the cookie file on the harddrive because the hashed version in the cookie is enough to access the page as a logged in user.
Yes, it would be such in any other situation, no?
You gain nothing against people sniffing the traffic to get the password, they already have the password from the first page, they can also pick up the cookie from the traffic and simply reuse it.
Also, a problem not unique to my situation. It would be like this even if I had a better security model.
You actually allow someone who sees your sourcecode to log in as they can calculate a hash on the string in your file and feed that in as a cookie.
Yes, that is my main concern. However, being a linbox, if someone is able to see the source code then he already has access to the user's account. Not withstanding an Apache failure, of course.
Hashing a hash is in general a bad idea as you actually decrease the randomness.
Didn't know that, thanks.
I think the best option would be to store the original password in the cookie and hash it on each page access just as you currently do for the first access.
But then, the password is going over the network in plaintext. Not nice. Even if someone intercepts the password and can access the script, it is better that he do it with the hash and not with the password. The user may use the same password on other things as well, and for those the hash will do the attacker no good. I'll reconsider the hash-of-a-hash. Thanks. Dotan Cohen http://what-is-what.com/what_is/javascript.html http://technology-sleuth.com/long_answer/what_is_hdtv.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php