On Feb 15, 2009, at 7:30 AM, Rene Veerman wrote:
Recently, on both the jQuery(.com) and PHP mailinglists, a question
has arisen on how to properly secure a login form for a non-ssl web-
application.
What's the threat model?
users[user_id].user_login_hash = onewayHash(user_login_name +
pref
Hi,
> Recently, on both the jQuery(.com) and PHP mailinglists, a question has
> arisen on how to properly secure a login form for a non-ssl web-application.
> But the replies have been "get ssl".. :(
What makes you think these are ill-advised?
> I disagree, and think that with a proper layout of
[Moderator's note: top posting is not considered good form. --Perry]
Hi Rene,
I suspect from reading this quickly that you may not be a cryptographer. I'd
highly suggest that you borrow one for a bit before you go ahead with this.
I'm having a bit of trouble reading exactly what you want to do, b
On Sun, 15 Feb 2009, Rene Veerman wrote:
> Recently, on both the jQuery(.com) and PHP mailinglists, a question has
> arisen on how to properly secure a login form for a non-ssl web-application.
> But the replies have been "get ssl".. :(
Unfortunately, they are right: get SSL.
> If you have a comp
- Original Message -
From: "Rene Veerman"
Sent: Sunday, February 15, 2009 4:30 AM
Subject: how to properly secure non-ssl logins (php + ajax)
I'm going to edit this, since I assume most of the code is completely
irrelevant
proposal:
database stores Hash(password |
Rene Veerman writes:
>Recently, on both the jQuery(.com) and PHP mailinglists, a question has
>arisen on how to properly secure a login form for a non-ssl web-application.
>But the replies have been "get ssl".. :(
>
>I disagree, and think that with a proper layout of authentication
>architecture,
I think you are close, but are probably doing way too much work.
First let's define a function HMAC_MD. HMAC is defined in RFC2104
and represents the current best current practice for using a hash to
"sign" a data value. It takes:
result = hmac_md(key, value)
You can use hmac with MD5, SHA1, S
Hi.
Recently, on both the jQuery(.com) and PHP mailinglists, a question has
arisen on how to properly secure a login form for a non-ssl web-application.
But the replies have been "get ssl".. :(
I disagree, and think that with a proper layout of authentication
architecture, one can really secu