El lun, 17-02-2003 a las 15:33, Jason Sheets escribió: > If all you are doing is trying to allow a user to change their password > you do not need decryption, all you need to do is md5 the new password > and update the database. And what happens if this MD5 is sniffed? Any one can make a POST again the login script and authenticate. I don't use SSL, due hardware restrictions, it's a lightweight server and I need log this way:
-I generate the login script with a random key -When the user submits the form, the password is encrypted using javascript this way: sent_pass=md5(entered_pass+random_key). -This random key is stored on the server, so I can md5 again with the "plain text" user password and the random key to authenticate. In any case (ok or not) I regenerate the random key, so this data is sniffed, it's not useful Now I want to enable the user change the password, so I need decription on the sever, because I need to know the password in plain text. Regards. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
