But there is a big security whole there if you skip the trip to the server (whether or not you use mod_auth_tkt). In order for the Flash code or JS code to create a ticket using a shared secret that secret needs to be downloaded to the client. Now you might be relying on Flash's binary format to protect said secret, but I wouldn't. Sending a user/pw combo on an insecure connection is not as bad as sending your shared secret out into the open on the same insecure connection. The first compromises that user's account. The second compromises
every users account.

Right , but this module doesn't do that. This module uses the CRAM- MD5 style of authentication - like SMTP servers use

client: Hey I want to log in!
server: Here's a Challenge: $time. $seed . digest ($time . $seed . $site_secret ) client: Here is my username and a hash that is Digest( password , server_challenge ) server: I looked up your username in the db , and the password is 'abc' . if i hash the stored password with the server_challenge I sent you, i get the hash you send me. i will log you in now.

things to note though:
i. if you store plaintext passwords on the server (BAD!) the client sends
                digest( password . server_challenge)
ii. if you store hashed passwords on the server (GOOD!) the client sends
                digest( digest(password) . server_challenge)
iii. this module creates a self-validating challenge, so that you don't have to store the challenge on the server - so you send the challenge back to the server

so to answer your concern:
        a. the user/pw combo is never sent on an insecure connection
b. the server challenge is just used as a digest seed to give more security over sending an unseeded digested password and limit replay attacks.



// Jonathan Vanasco

w. http://findmeon.com/user/jvanasco
e. [EMAIL PROTECTED]

|   Founder/CEO - FindMeOn, Inc.
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|      FindMeOn.com - The cure for Multiple Web Personality Disorder
|      Privacy Minded Web Identity Management and 3D Social Networking
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


|   Founder - RoadSound.com
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|      RoadSound.com - Tools For Bands, Stuff For Fans
|      Collaborative Online Management And Syndication Tools
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -




Reply via email to