Hi !

I have a web application using ICS HTTP server component. In that web 
application, the user has a login form when he can enter usercode/password 
to login.

To avoid sending passwords over the network, I use a classical 
challenge/response system : when sending the logon page, the server add a 
"challenge" (A simple random string) as a hidden field. When the user clicks 
on the submit button, there is some javascript which compute Hash = 
MD5(Challenge + Password) and then send the result to the server along with 
the user code. At server side I use the usercode to query a password 
database to retreive the password and I compute the same hash code. If the 
hashcode from client match the computed one at server side, then the 
password is OK and the user has access to the application.

So far so good...

Now I want to validate the user against the company Active Directory. One 
way to do it is to use LogonUser API from advapi32.dll. Not to complex to 
do.

Here is the problem: To use LogonUser, I need the password in clear text. I 
don't want to send clear text password from the client webpage. How can I do 
that ? The hash code I used as explained above can't be used since the 
password is not recoverable from the hashcode and of course I don't have a 
password database. For some reason, I can't use SSL either.

I see a possibility with public key encryption. But this is far to complex 
for javascript at client side. Isn't it ?
Maybe NTLM ? But then the application would have another login screen since 
the browser pops a usercode/password dialog.

Any idea is welcome.

--
francois.pie...@overbyte.be
The author of the freeware multi-tier middleware MidWare
The author of the freeware Internet Component Suite (ICS)
http://www.overbyte.be

-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to