Hi, I'm cross-posting this (from jquery-en js mailinglist) because it's
something that i think is relevant for this list too..
You can ignore the jQuery in it, since all the jquery calls can be
replaced with document.getElementById().
I have secured the login form for my CMS with a challenge-response thing
that encrypts both username and password with the
(login-attempts-counted) challenge (and; here's my problem: a system
hash) sent by the server (it would end up in your html as a hidden
inputs, or as part of a json transmission)..
Since then, i've found these libs that do even longer one-way-crypto:
http://mediabeez.ws/downloads/sha256.js-php.zip
The principles i'm about to explain stay the same.
*but i'd really like to know if my crypto can be improved*
So instead of the browser getting just a text-field for username and
password, you also send the "challenge" (and "system_hash") value.
That's a 100-character random string (include special characters!), then
sha256-ed (for prettiness mostly i think).
I really wonder if i can do without the systemhash..
------------------------------------ HTML --------------------------------
<form id="myForm">
<input type="hidden" id="system_hash" name="system_hash"
value="[SHA256 SORTA-MASTER-KEY__DUNNO-WHAT-TO-DO-WITH-THIS]"/>
<input type="hidden" id="challenge" name="challenge"
value="[SHA256RANDOMSTRINGFROMPHP]"/>
<table>
<tr><td>Login</td><td> </td><td><input id='login'
name='login'/></td></tr>
<tr><td>Password</td><td> </td><td><input id='pass'
name='pass'/></td></tr>
</table>
</form>
------------------------------------ JS ------------------------------------
$('#myform').submit (function() {
var s = ($'system_hash')[0];
var c = ($'challenge')[0];
var l = $('#login')[0];
var p = $('#pass')[0];
l.value = sha256 (sha256 (l.value + s.value) + c.value);
p.value = sha256 (sha256 (p.value + s.value) + c.value);
//Here, submit the form using ajax routines in plain text,
as both the login name and
//password are now one-way-encrypted.
//
//on the PHP end, authentication is done against a mysql
table "users".
//
//in this table i have 3 relevant fields:
//user_login_name (for administrative and display purposes)
//user_login_name_hash (==sha256 (user_login_name +
system_hash))
//user_password_hash (== passwords aint stored unencrypted
in my cms, to prevent admin corruption and pw-theft by third parties;
the password is encrypted by the browser in the "new-password-form" with
the system hash before it's ever sent to the server. server Never knows
about the cleartext password, ever.)
//
//when a login-attempt is evaluated, all the records in
"users" table have to be traversed (which i admit can get slow on larger
userbases... help!?! :)
//for each user in the users table, the loginhash and
password hash are calculated;
// $uh = sha256 ($users->rec["user_login_name_hash"] .
$challenge);
// $pwh = sha256 ($users->rec["user_password_hash"] .
$challenge);
//and then,
// if they match the hash strings that were sent (both of
them),
// if the number of login-attempts isn't exceeded,
// if the IP is still the same (as the one who first
requested the html login form with new challenge value)
//then, maybe, i'll let 'm log in :)
});
phicarre wrote:
How to secure this jquery+php+ajax login procedure ?
$('#myform').submit( function()
{
$(this).ajaxSubmit( {
type:'POST', url:'login.php',
success: function(msg)
{
**** login ok : how to call the welcome.php ***
},
error: function(request,iderror)
{
alert(iderror + " " + request);
}
});
return false;
})
<form id="myForm" action="" >
Name : <input type='text' name='login' size='15' />
<div>Password : <input type='password' name='passe' size='15' /
</div>
<input type="submit" value="login" class="submit" />
</form>
Login.php check the parameters and reply by echo "ok" or echo "ko"
Logically if the answer is ok we must call a welcome.php module BUT,
if someone read the client code, he will see the name of the module
and can hack the server.
May I wrong ? how to secure this code ?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
