Hi Roy,
I'm using Javascript MD-5 encoding for sending my passwords. For each
session I generate simply a random string of 5 chars. I use this functions:
// generate login-id
function random_char($string) {
return $string[mt_rand(0,(strlen($string)-1))];
}
function random_string($charset_string,$length) {
mt_srand((double)microtime()*1000000);
$return_string = "";
for($x=0;$x<$length;$x++) {
$return_string .= random_char($charset_string);
}
return($return_string);
}
$alphabet = "abcdefghijklmnopqrstuvwxyz";
I generate the string by using this code:
$randomstring = random_string($alphabet,5);
I register this string as session var. I called this var $loginid.
This is the code for my login-form:
<form name="login" method="post" action="login.php" onSubmit="return
hash()">
<table border="0" cellpadding="0" cellspacing="0">
<tr>
<td><strong>Username </strong></td>
<td>
<input name="form_username" type="text" id="username" maxlength="10">
</td>
</tr>
<tr>
<td><strong>Password </strong></td>
<td>
<input name="form_password" type="password" id="password"
maxlength="10">
</td>
</tr>
</table>
<input name="form_loginid" type="hidden" id="loginid" value="<?php
echo($loginid); ?>">
<input name="form_md5" type="hidden" id="md5" value="">
<p>
<input type="submit" name="Submit" value="Login">
</p>
</form>
And now the code of the javascript functions hash():
<script language="JavaScript" type="text/javascript">
function hash() {
if(document.login.form_username.value != '') {
if(document.login.form_password.value != '') {
dom = findDOM('message',1);
dom.display = 'block';
normalstring = document.login.form_password.value +
document.login.form_loginid.value;
hashstring = hex_md5(normalstring);
document.login.form_md5.value = hashstring;
document.login.form_password.value = '';
return true;
} else {
alert("You must type a password.\nWithout password the login will not
work.");
return false;
}
} else {
alert("You must type an username.\nWithout username the login will not
work.");
return false;
}
}
</script>
When the user clicks on 'Login' the function hash will be called. If the
fields username and password are filled, Javascript will combine the
password and the loginid to one string. This string will be encrypted and
putted in the field form_md5 of the loginform. The passwordfield will be
cleared. Then the data will be sended to the server.
The server does properly the same. It will searches in the database for the
password of the user, combines password and loginid and encrypts it.
$md5_data = $database_password . $loginid;
$password_md5 = bin2hex(mhash(MHASH_MD5,$md5_data));
If password_md5 and form_md5 are equal the password is correct.
When the hacker captures the encoded password, he can't do anything with it.
If he tries to login he must use another loginid and the server won't accept
the previous code he captured.
Rolf van de Krol
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
