Hi ! I have a web application using ICS HTTP server component. In that web application, the user has a login form when he can enter usercode/password to login.
To avoid sending passwords over the network, I use a classical challenge/response system : when sending the logon page, the server add a "challenge" (A simple random string) as a hidden field. When the user clicks on the submit button, there is some javascript which compute Hash = MD5(Challenge + Password) and then send the result to the server along with the user code. At server side I use the usercode to query a password database to retreive the password and I compute the same hash code. If the hashcode from client match the computed one at server side, then the password is OK and the user has access to the application. So far so good... Now I want to validate the user against the company Active Directory. One way to do it is to use LogonUser API from advapi32.dll. Not to complex to do. Here is the problem: To use LogonUser, I need the password in clear text. I don't want to send clear text password from the client webpage. How can I do that ? The hash code I used as explained above can't be used since the password is not recoverable from the hashcode and of course I don't have a password database. For some reason, I can't use SSL either. I see a possibility with public key encryption. But this is far to complex for javascript at client side. Isn't it ? Maybe NTLM ? But then the application would have another login screen since the browser pops a usercode/password dialog. Any idea is welcome. -- [email protected] The author of the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
