Hi, I'm cross-posting this (from jquery-en js mailinglist) because it's something that i think is relevant for this list too..

You can ignore the jQuery in it, since all the jquery calls can be replaced with document.getElementById().

I have secured the login form for my CMS with a challenge-response thing
that encrypts both username and password with the
(login-attempts-counted) challenge (and; here's my problem: a system
hash) sent by the server (it would end up in your html as a hidden
inputs, or as part of a json transmission)..

Since then, i've found these libs that do even longer one-way-crypto:
The principles i'm about to explain stay the same.

*but i'd really like to know if my crypto can be improved*

So instead of the browser getting just a text-field for username and
password, you also send the "challenge" (and "system_hash") value.
That's a 100-character random string (include special characters!), then
sha256-ed (for prettiness mostly i think).

I really wonder if i can do without the systemhash..

------------------------------------ HTML --------------------------------
<form id="myForm">
   <input type="hidden" id="system_hash" name="system_hash"
   <input type="hidden" id="challenge" name="challenge"
   <tr><td>Login</td><td>&nbsp;</td><td><input id='login'
   <tr><td>Password</td><td>&nbsp;</td><td><input id='pass'

------------------------------------ JS ------------------------------------

   $('#myform').submit (function() {
           var s = ($'system_hash')[0];
           var c = ($'challenge')[0];
           var l = $('#login')[0];
           var p = $('#pass')[0];

           l.value = sha256 (sha256 (l.value + s.value) + c.value);
           p.value = sha256 (sha256 (p.value + s.value) + c.value);

           //Here, submit the form using ajax routines in plain text,
as both the login name and
           //password are now one-way-encrypted.
           //on the PHP end, authentication is done against a mysql
table "users".
           //in this table i have 3 relevant fields:
           //user_login_name (for administrative and display purposes)
           //user_login_name_hash (==sha256 (user_login_name +
           //user_password_hash (== passwords aint stored unencrypted
in my cms, to prevent admin corruption and pw-theft by third parties;
the password is encrypted by the browser in the "new-password-form" with
the system hash before it's ever sent to the server. server Never knows
about the cleartext password, ever.)
           //when a login-attempt is evaluated, all the records in
"users" table have to be traversed (which i admit can get slow on larger
userbases... help!?! :)
           //for each user in the users table, the loginhash and
password hash are calculated;
           //    $uh = sha256 ($users->rec["user_login_name_hash"] .
           //    $pwh = sha256 ($users->rec["user_password_hash"] .
           //and then,
           //    if they match the hash strings that were sent (both of
           //    if the number of login-attempts isn't exceeded,
           //    if the IP is still the same (as the one who first
requested the html login form with new challenge value)
           //then, maybe, i'll let 'm log in :)

phicarre wrote:
How to secure this jquery+php+ajax login procedure ?

$('#myform').submit( function()
            $(this).ajaxSubmit( {
                type:'POST', url:'login.php',
                success: function(msg)
                    **** login ok : how to call the welcome.php ***
                error: function(request,iderror)
                    alert(iderror + " " + request);
            return false;

<form id="myForm" action="" >

        Name : <input type='text' name='login' size='15' />
        <div>Password : <input type='password' name='passe' size='15' /
        <input type="submit" value="login" class="submit" />


Login.php check the parameters and reply by echo "ok" or echo "ko"

Logically if the answer is ok we must call a welcome.php module BUT,
if someone read the client code, he will see the name of the module
and can hack the server.
May I wrong ? how to secure this code ?

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to