> Still a little bit confused; > So what if someone just creates an HTML with a hidden field containing any > "login:time" plus another hidden with MD5 hash made out of his own > IP+login+time and submits it?
Then they just bypassed your security :) The thing is that you take a string built out of elements that -you- know what they are (user ip, time, etc.) - so to break it, they first have to figure out what goes where, and then figure out it's an MD5 hash. It more or less prevents the 'casual' hacker from getting in. > According to your explanation I understood that if my script verified that > the hash generated by the script based on values he submitted and his IP, > matches his(in this case it would) I should let him in. > Or do I in the meantime store the hash in his profile in the MySQL db and > match that against his? > The only reason I would think it would be hard to do is for someone to guess > that the hash was made of his IP and not something else. In that case > wouldn't be better to make the hash out of: $login.$password and then pass > as hidden only login; then someone to create the right MD5 must know the > password (which I can pull of the db when trying to validate the original > hash). That's a way too but you really want to prevent using any type of hash that can be broken by a dictionary attack (such as the login/pwd one). See, what I use myself is mod_perl based, and uses cookies. Or rather, one single cookie that exists for as long as the browser window is open. When someone logs in (username/password match), a random hash is created and used as a key - this is stored in a MySQL table along with a creation and an expiry time (if you want sessions to expire after like 2 hrs or so). The key is then sent to the browser in a cookie - each request, the cookie is fetched, the key is extracted and then looked up in the DB to see if it's still valid - if it is, the script proceeds as usual, if it isn't, the script shows the 'please log in' page again. This really is a much safer and beter way of doing it, and it's one of the few good uses for cookies ;) -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
