Baruch Even <[EMAIL PROTECTED]> wrote: > If someone can sniff out your session, he can easily fake the TCP/IP > connection with ease.
Really? I understand how sniffing works (though with proxies there's potentially other ways that cookies can be spied on), but I don't really know how IP address are spoofed. Without control of the routers, wouldn't the return traffic end up going to the right subnet no matter what, and wouldn't the correct computer at least try to respond, even if another computer tried too? I'm not entirely clear on how TCP/IP connections are made, though, so I might be missing something there. MAC addresses have to come in there somewhere too, if I remember correctly, but I've forgotten where. After reading your article, a non-SSL solution occurred to me. You can implement MD5 on the client through Javascript (see http://pajhome.org.uk/crypt/md5/md5src.html), and it's not even a very long bit of code. It should be easy to send the salt as a hidden field in the form, then onSubmit do a bit of code to hash the password with the salt and delete the plaintext password. This only works with Javascript-enabled browsers, but that's most people. Especially for privileged users, you can demand they use such a browser (not a big deal). I'm not sure how to make sure the user doesn't accidentally send their plaintext password when they don't have Javascript, except to have a gateway page that uses the Javascript code to preauthenticate in some manner. Though if you don't name the password field, and use document.forms.someform[number] to access it, then I suppose it's private to the browser...? Ian _______________________________________________ Webware-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-devel
