A common way to identify a client is to use the challange-response
algorithm. It works like this:
Ps is the password stored on the server
Pc is the password entered by the client
H is a hash-function (md5 for example)
V is a 'random' value
Server calculates H(V + Ps) and save this in a session variable. The server
then send V to the client which respond with H(V + Pc). Now, the server can
compare H(V + Ps) with H(V + Pc). If they are equal, the user must have
given the correct password! Otherwise the identification failed.
The good thing with this algorithm is that no password need to be sent in
plain-text between the client and the server. The random value is used to
ensure that the response is not just something that a hacker has sniffed in
a previous session. The downside is that the database must be secure, since
the passwords are stored in plain-text.
A even better way is of course to use SSL. In that case the client just send
the password to the server and the server compares H(P) with the stored hash
in the database.
Don't know if this was what you were looking for...
/torgil
> -----Ursprungligt meddelande-----
> Fran: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]For Russ Michell
> Skickat: den 13 september 2001 17:36
> Till: [EMAIL PROTECTED]
> Amne: [PHP-DB] Straightforward authentication?
>
>
> Hi all:
>
> The few php/MySQL apps I've developed that required
> username/password access, have simply been a
> means of comparing usernames and hashes of passwords in a DB. My
> next application needs to be
> slightly more secure but nothing like the needs of protecting
> online banking or vulnerable private
> info.
>
> I have read several articles at phpbuilder.com and stuff at
> php.net, and frankly most of it seems
> to be overly contrived.
>
> I wonder wether some list members would be able to point me in
> the direction of code and/or
> tutorials that *explain* in English what they're doing and why.
> For example why they are storing an
> MD5() hash of something in a seperate file outside the
> web-server's doc-root etc etc.
>
> Once I have my head round the concepts I'll be posting my
> findings to a public location which
> list-members will be among the first to view.
>
> I thank y'all for any help you are able to give.
> Cheers
>
> Russ
>
> #-------------------------------------------------------#
>
> "Believe nothing - consider everything"
>
> Russ Michell
> Anglia Polytechnic University Webteam
> Room 1C 'The Eastings' East Road, Cambridge
>
> e: [EMAIL PROTECTED]
> w: www.apu.ac.uk/webteam
> t: +44 (0)1223 363271 x 2331
>
> www.theruss.com
>
> #-------------------------------------------------------#
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
