Re: One-page password-protected file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 23/10/06, David Tulloh <david@xxxxxxxxxxxx> wrote:

Breaking this down you have a hardcoded password.
In the script you store a hash of the password rather than the actual
password.


Yes, no choice but to have the password in the file. I can't include()
anything, and no mysql. So, only hashed would I dare keep it.


Upon first access you take a hash of the password and compare it against
your stored hash.  If it's a match you have an authentic user.
The authentic user is then supplied with a cookie that contains a hashed
version of your hash.  On further logins you check the cookie
information against a hashed version of your stored hash password.


I think that this last step is really very flawed.
You gain nothing against people finding the cookie file on the harddrive
because the hashed version in the cookie is enough to access the page as
a logged in user.


Yes, it would be such in any other situation, no?


You gain nothing against people sniffing the traffic to get the
password, they already have the password from the first page, they can
also pick up the cookie from the traffic and simply reuse it.


Also, a problem not unique to my situation. It would be like this even
if I had a better security model.


You actually allow someone who sees your sourcecode to log in as they
can calculate a hash on the string in your file and feed that in as a
cookie.


Yes, that is my main concern. However, being a linbox, if someone is
able to see the source code then he already has access to the user's
account. Not withstanding an Apache failure, of course.


Hashing a hash is in general a bad idea as you actually decrease the
randomness.


Didn't know that, thanks.


I think the best option would be to store the original password in the
cookie and hash it on each page access just as you currently do for the
first access.


But then, the password is going over the network in plaintext. Not
nice. Even if someone intercepts the password and can access the
script, it is better that he do it with the hash and not with the
password. The user may use the same password on other things as well,
and for those the hash will do the attacker no good.

I'll reconsider the hash-of-a-hash. Thanks.

Dotan Cohen

http://what-is-what.com/what_is/javascript.html
http://technology-sleuth.com/long_answer/what_is_hdtv.html

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux