But there is a big security whole there if you skip the trip to the
server
(whether or not you use mod_auth_tkt). In order for the Flash code
or JS code to
create a ticket using a shared secret that secret needs to be
downloaded to the
client. Now you might be relying on Flash's binary format to
protect said
secret, but I wouldn't. Sending a user/pw combo on an insecure
connection is not
as bad as sending your shared secret out into the open on the same
insecure
connection. The first compromises that user's account. The second
compromises
every users account.
Right , but this module doesn't do that. This module uses the CRAM-
MD5 style of authentication - like SMTP servers use
client: Hey I want to log in!
server: Here's a Challenge: $time. $seed . digest ($time . $seed .
$site_secret )
client: Here is my username and a hash that is Digest( password ,
server_challenge )
server: I looked up your username in the db , and the password is
'abc' . if i hash the stored password with the server_challenge I
sent you, i get the hash you send me. i will log you in now.
things to note though:
i. if you store plaintext passwords on the server (BAD!) the client
sends
digest( password . server_challenge)
ii. if you store hashed passwords on the server (GOOD!) the client
sends
digest( digest(password) . server_challenge)
iii. this module creates a self-validating challenge, so that you
don't have to store the challenge on the server - so you send the
challenge back to the server
so to answer your concern:
a. the user/pw combo is never sent on an insecure connection
b. the server challenge is just used as a digest seed to give more
security over sending an unseeded digested password and limit replay
attacks.
// Jonathan Vanasco
w. http://findmeon.com/user/jvanasco
e. [EMAIL PROTECTED]
| Founder/CEO - FindMeOn, Inc.
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - -
| FindMeOn.com - The cure for Multiple Web Personality Disorder
| Privacy Minded Web Identity Management and 3D Social Networking
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - -
| Founder - RoadSound.com
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - -
| RoadSound.com - Tools For Bands, Stuff For Fans
| Collaborative Online Management And Syndication Tools
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - -
