On Thu, Oct 23, 2008 at 12:13 AM, DyingToLearn <[EMAIL PROTECTED]> wrote: > > The best way is to simply use https. Definitely DONT use javascript > for encrypting the password (unless you encrypt it again on the > server). > > To remove passwords from your logs use this option in your Application > controller > filter_parameter_logging :password > > HTH
I actually have seen a proper way to do form based password authentication via javascript which is mostly secure, even without https. It's a bit of work though: 1. On the login form, you have a hidden field initalized by the server set to a random value (aka a "nonce") On form submit the javascript: 2a. Converts the user password to the same format that is stored in the database (after this, the password string in the DB matches the password in javascript) 2b. Takes the resulting user password from 2a and concats it with the nonce in step 1 to create a longer string. 3. Java script then runs something like MD5 or SHA1 (sha-256 would be better) over this longer string to create a hashed value. I know open source md5 implimentations in javascript exist- just google for it. 4. This hashed value is then sent to the server The server to authenticate takes the password stored in the DB and does steps 2b and 3 and then checks to see if the two hashed values match. Note: It is VERY IMPORTANT that the random (nonce) is changed for each login. Failure to do this enables replay attacks. You could just use a monotonically increasing value using the database to store the last used value to prevent replay attacks. Of course after all this, if your session cookie is open to replay attacks, then someone can just steal that and bypass your login altogether, so using https is really easier and safer. https also prevents man in the middle attacks which you can't stop with javascript. Honestly, if it's worth going through all this effort to do the javascript thingy, it's probably easier to setup https and then you'll know it's secure. -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
