So what if someone just creates an HTML with a hidden field containing any "login:time" plus another hidden with MD5 hash made out of his own IP+login+time and submits it?
According to your explanation I understood that if my script verified that the hash generated by the script based on values he submitted and his IP, matches his(in this case it would) I should let him in.
Or do I in the meantime store the hash in his profile in the MySQL db and match that against his?
The only reason I would think it would be hard to do is for someone to guess that the hash was made of his IP and not something else. In that case wouldn't be better to make the hash out of: $login.$password and then pass as hidden only login; then someone to create the right MD5 must know the password (which I can pull of the db when trying to validate the original hash).
Thanks for further explanations,
Mariusz
From: Bernhard van Staveren <[EMAIL PROTECTED]>
To: "mario kulka" <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: session ID
Date: Wed, 12 Feb 2003 18:46:27 +0100
On Wed, 12 Feb 2003 17:07:16 +0000
"mario kulka" <[EMAIL PROTECTED]> wrote:
>
> Hi,
> I guess I'm lost again on this topic:(
> I'm basically trying the following:
> User logs in -> then he has a choice:
> 1. enter new record
> 2. edit old one
> Once taken to those new pages I somehow must keep the fact that he already
> logged in and at the same time forbid other people from a direct access to
> those pages (choices 1&2). I don't want to use cookies.
Without cookies it tends to be hard to do if you're doing it with
a plain old CGI application, and if you want it to be as safe as possible.
However: a way to do it is as follows;
Once the user logs in, you create a string like this:
$user_ip.":".$user_login_name.":".$user_login_time
Then you make an MD5 hash out of that, or a SHA1 hash. You park this hash
in a hidden form field, and you also park $user_login_time in a hidden
field, as well as the $user_login_name variable. (Preferrably concatenate
the two together and stick it in one field to obfuscate it some more for
people viewing source)
On every request, you see whether the hash field contains data, if it does,
the user is logged in. You can then validate the hash by taking the same
information again, and re-creating the SHA1 hash. If both hashes match,
the user is who he says he/she is and you can show the forms.
Doing things like this without cookies tends to be hard; there is yet another
way around it but it's not real 'beginner' material and requires mod_perl and
an SQL database to function - let me know if you want me to explain that one.
--
Bernhard van Staveren - madcat(at)ghostfield.com
GhostField Internet - http://www.ghostfield.com/
"A witty saying proves nothing, but damn it's funny!" - me, 1998
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
