On Saturday 11 October 2003 12:05 pm, 127.0.0.1 wrote:
[color=blue]
> Within the bounds of Javascript and pHP, what is the securest login
> mechanism anyone here has come up with.
>[/color]
HMAC. Go read RFC 2104 for background
(
http://www.rfc-editor.org/rfc/rfc2104.txt)
Next, google for an HMAC implementation in javascript.
In the login form, send down a hidden form field with a random value (place
the same value in the session).
The user types in a username and password. The submit button fires off
javascript that computes digest=HMAC( password, secret ) and submits
SessionID, username, and digest.
Back on the server side, grab the secret out of the session. Look up the
user's password and compute the HMAC using using the server-side info you
have. Then compare the digests.
The neat part about this is that the digest changes every time, so you avoid
replay attacks. The bad part is that somebody has to have cleartext access
to the password. You could argue that you could just MD5 the pass and use
that for HMAC. You'd be right of course, but at that point the MD5 becomes
as good as having the actual password. You want to push the actual server
side HMAC computation as far back as possible. If you're using a database
that supports stored procedures, do it there.
--
Don Faulkner, KB5WPM |
(This space | "All that is gold does not glitter."
unintentionally | "Not all those who wander are lost."
left blank) | -- J.R.R. Tolkien
