Have a look at my post called "for the security minded web developer - secure way to login?". It seems like a similar idea with less overhead. Regards, Tim Tim-Hinnerk Heuer http://www.ihostnz.com Joan Rivers - "Never floss with a stranger." 2009/2/14 Virgilio Quilario <virgilio.quilario@xxxxxxxxx> > > I have secured the login form for my CMS with a challenge-response thing > > that encrypts both username and password with the > > (login-attempts-counted) challenge (and; here's my problem: a system > > hash) sent by the server (it would end up in your html as a hidden > > inputs, or as part of a json transmission).. > > > > Since then, i've found these libs that do even longer one-way-crypto: > > http://mediabeez.ws/downloads/sha256.js-php.zip > > The principles i'm about to explain stay the same. > > > > *but i'd really like to know if my crypto can be improved* > > > > So instead of the browser getting just a text-field for username and > > password, you also send the "challenge" (and "system_hash") value. > > That's a 100-character random string (include special characters!), then > > sha256-ed (for prettiness mostly i think). > > > > I really wonder if i can do without the systemhash.. > > > > ------------------------------------ HTML > -------------------------------- > > <form id="myForm"> > > <input type="hidden" id="system_hash" name="system_hash" > > value="[SHA256 SORTA-MASTER-KEY__DUNNO-WHAT-TO-DO-WITH-THIS]"/> > > <input type="hidden" id="challenge" name="challenge" > > value="[SHA256RANDOMSTRINGFROMPHP]"/> > > <table> > > <tr><td>Login</td><td> </td><td><input id='login' > > name='login'/></td></tr> > > <tr><td>Password</td><td> </td><td><input id='pass' > > name='pass'/></td></tr> > > </table> > > </form> > > > > > > ------------------------------------ JS > ------------------------------------ > > > > $('#myform').submit (function() { > > var s = ($'system_hash')[0]; > > var c = ($'challenge')[0]; > > var l = $('#login')[0]; > > var p = $('#pass')[0]; > > > > l.value = sha256 (sha256 (l.value + s.value) + c.value); > > p.value = sha256 (sha256 (p.value + s.value) + c.value); > > > > //Here, submit the form using ajax routines in plain text, > > as both the login name and > > //password are now one-way-encrypted. > > // > > //on the PHP end, authentication is done against a mysql > > table "users". > > // > > //in this table i have 3 relevant fields: > > //user_login_name (for administrative and display purposes) > > //user_login_name_hash (==sha256 (user_login_name + > > system_hash)) > > //user_password_hash (== passwords aint stored unencrypted > > in my cms, to prevent admin corruption and pw-theft by third parties; > > the password is encrypted by the browser in the "new-password-form" with > > the system hash before it's ever sent to the server. server Never knows > > about the cleartext password, ever.) > > // > > //when a login-attempt is evaluated, all the records in > > "users" table have to be traversed (which i admit can get slow on larger > > userbases... help!?! :) > > //for each user in the users table, the loginhash and > > password hash are calculated; > > // $uh = sha256 ($users->rec["user_login_name_hash"] . > > $challenge); > > // $pwh = sha256 ($users->rec["user_password_hash"] . > > $challenge); > > //and then, > > // if they match the hash strings that were sent (both of > > them), > > // if the number of login-attempts isn't exceeded, > > // if the IP is still the same (as the one who first > > requested the html login form with new challenge value) > > //then, maybe, i'll let 'm log in :) > > }); > > > > > > > > > > phicarre wrote: > >> > >> How to secure this jquery+php+ajax login procedure ? > >> > >> $('#myform').submit( function() > >> { > >> $(this).ajaxSubmit( { > >> type:'POST', url:'login.php', > >> success: function(msg) > >> { > >> **** login ok : how to call the welcome.php *** > >> }, > >> error: function(request,iderror) > >> { > >> alert(iderror + " " + request); > >> } > >> }); > >> return false; > >> }) > >> > >> > >> <form id="myForm" action="" > > >> > >> Name : <input type='text' name='login' size='15' /> > >> <div>Password : <input type='password' name='passe' size='15' / > >> > >>> > >>> </div> > >>> > >> > >> <input type="submit" value="login" class="submit" /> > >> > >> </form> > >> > >> Login.php check the parameters and reply by echo "ok" or echo "ko" > >> > >> Logically if the answer is ok we must call a welcome.php module BUT, > >> if someone read the client code, he will see the name of the module > >> and can hack the server. > >> May I wrong ? how to secure this code ? > >> > > i think you should drop the IP address out of the equation because > when you're behind a firewall with rotating outgoing IP addresses, you > will never get authenticated. > > also, traversing users table is a slow operation as you pointed out. > > i guess you should look into two way encryption or use ssl which is > better and easier to implement. > > virgil > http://www.jampmark.com > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
