Hi All,

A few months ago it came to my mind, that it might be possible to make
non-https session (reasonably) secure by at least not letting people login
that shouldn't because they might have sniffed the password from a user.
Please let me know if you can find a loop hole in this process. I think it
would be interesting for anybody on this list (or anybody really) who has a
bit of knowlege and appreciation about security:


The session variables are stored on the web server and not transferred to
the client at all.
The client has Javascript enabled.
We have a secure hash function, say sha1.
We can generate truly random numbers/strings with PHP which cannot be
guessed call it salt.
A session cannot be stolen.
... add more if needed. :-)

So, we could on the server generate a random salt value and send that to the
client along with the login form.
On the client, when the user submits the form, we take the entered password
value (with Javascript), hash it with our sha1 function, concatenate it with
the salt and compute the hash value of the password together with the salt
(again). All this in Javascript or whatever runs on the client.

We then send this hash value, call it h(h(p) + s) (hash(hash(password) +
salt)), to the server. Its useless for the sniffer, because the same value
will never be sent twice, unless of course the user (password) and the salt
are the same (or there is a collision, but we assumed its a secure hash
We could make sure that a user doesn't get sent the same salt twice by
storing them in the database when used and checking against them when it is
On the server we could do the same process with the stored hash of the
password (assuming the hash of the password is stored), otherwise it becomes
necessary to also send the actual salt of the password along with the login
form and this would become even a little more complex.

So, if h(p) is stored, we would simply compute h(h(p) + s) where s is the
salt that was sent and stored in a session variable.

Assuming we don't use a salt to store the password hash, this seems quite
secure to me, don't you think? I mean, of course someone can still steel the
session but it becomes a lot harder to figure out the password by sniffing.

What do you think?

If everybody agrees this is worth implementing, i might give it a go and
make a library.

Sorry this is not directly PHP related, but since i like this list, i
thought i would share it with you.


Tim-Hinnerk Heuer

Joan Rivers  - "Never floss with a stranger."

Reply via email to