> I have secured the login form for my CMS with a challenge-response thing > that encrypts both username and password with the > (login-attempts-counted) challenge (and; here's my problem: a system > hash) sent by the server (it would end up in your html as a hidden > inputs, or as part of a json transmission).. > > Since then, i've found these libs that do even longer one-way-crypto: > http://mediabeez.ws/downloads/sha256.js-php.zip > The principles i'm about to explain stay the same. > > *but i'd really like to know if my crypto can be improved* > > So instead of the browser getting just a text-field for username and > password, you also send the "challenge" (and "system_hash") value. > That's a 100-character random string (include special characters!), then > sha256-ed (for prettiness mostly i think). > > I really wonder if i can do without the systemhash.. > > ------------------------------------ HTML -------------------------------- > <form id="myForm"> > <input type="hidden" id="system_hash" name="system_hash" > value="[SHA256 SORTA-MASTER-KEY__DUNNO-WHAT-TO-DO-WITH-THIS]"/> > <input type="hidden" id="challenge" name="challenge" > value="[SHA256RANDOMSTRINGFROMPHP]"/> > <table> > <tr><td>Login</td><td> </td><td><input id='login' > name='login'/></td></tr> > <tr><td>Password</td><td> </td><td><input id='pass' > name='pass'/></td></tr> > </table> > </form> > > > ------------------------------------ JS ------------------------------------ > > $('#myform').submit (function() { > var s = ($'system_hash')[0]; > var c = ($'challenge')[0]; > var l = $('#login')[0]; > var p = $('#pass')[0]; > > l.value = sha256 (sha256 (l.value + s.value) + c.value); > p.value = sha256 (sha256 (p.value + s.value) + c.value); > > //Here, submit the form using ajax routines in plain text, > as both the login name and > //password are now one-way-encrypted. > // > //on the PHP end, authentication is done against a mysql > table "users". > // > //in this table i have 3 relevant fields: > //user_login_name (for administrative and display purposes) > //user_login_name_hash (==sha256 (user_login_name + > system_hash)) > //user_password_hash (== passwords aint stored unencrypted > in my cms, to prevent admin corruption and pw-theft by third parties; > the password is encrypted by the browser in the "new-password-form" with > the system hash before it's ever sent to the server. server Never knows > about the cleartext password, ever.) > // > //when a login-attempt is evaluated, all the records in > "users" table have to be traversed (which i admit can get slow on larger > userbases... help!?! :) > //for each user in the users table, the loginhash and > password hash are calculated; > // $uh = sha256 ($users->rec["user_login_name_hash"] . > $challenge); > // $pwh = sha256 ($users->rec["user_password_hash"] . > $challenge); > //and then, > // if they match the hash strings that were sent (both of > them), > // if the number of login-attempts isn't exceeded, > // if the IP is still the same (as the one who first > requested the html login form with new challenge value) > //then, maybe, i'll let 'm log in :) > }); > > > > > phicarre wrote: >> >> How to secure this jquery+php+ajax login procedure ? >> >> $('#myform').submit( function() >> { >> $(this).ajaxSubmit( { >> type:'POST', url:'login.php', >> success: function(msg) >> { >> **** login ok : how to call the welcome.php *** >> }, >> error: function(request,iderror) >> { >> alert(iderror + " " + request); >> } >> }); >> return false; >> }) >> >> >> <form id="myForm" action="" > >> >> Name : <input type='text' name='login' size='15' /> >> <div>Password : <input type='password' name='passe' size='15' / >> >>> >>> </div> >>> >> >> <input type="submit" value="login" class="submit" /> >> >> </form> >> >> Login.php check the parameters and reply by echo "ok" or echo "ko" >> >> Logically if the answer is ok we must call a welcome.php module BUT, >> if someone read the client code, he will see the name of the module >> and can hack the server. >> May I wrong ? how to secure this code ? >> i think you should drop the IP address out of the equation because when you're behind a firewall with rotating outgoing IP addresses, you will never get authenticated. also, traversing users table is a slow operation as you pointed out. i guess you should look into two way encryption or use ssl which is better and easier to implement. virgil http://www.jampmark.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
