Well, if you really want to be super-secure, you should use an https:
connection and also a challenge response system, like so.
Your initial password page and subsequent login page can send the javascript
version of md5, which can be found here:
http://pajhome.org.uk/crypt/md5/md5.js
Initial account creation:
Before your form is submitted, whatever plaintext the user entered is
md5'ed, and then stored in the database in md5-ed form. Without https: this
phase does leave the possibility that this md5 hash could be intercepted,
though it is nice that your user's original password is not easily
retrievable. Store the md5ed version of the password rather than plaintext
so that the user's plaintext password (which is often the same for many
sites) cannot be retrieved.
After the user account has been created, your login page then sends a random
token (which is written into a separate session variable). something like
the system time plus a word is a good choice, and you can write it into <
input type=hidden value="token_string">. Then, before the form is
submitted, the user's password is md5'ed, then concatenated with the token,
then md5ed again. On the server side, you take the token and the md5 hash
of the password from the database and concatenate and md5. Compare what the
form sends with this value. Voile - basic challenge-response system. The
token serves as the "public key" in the challenge.
Hope this helps,
Eric
"dr. zoidberg" <so*****@example.wrong> wrote in message
news:X5****************@ns45.bih.net.ba...
Eric Ellsworth wrote: Hi there, doc:
Two things to note.
1) Really all you need to store in the session is some flag saying that
the user is successfully logged in. Do be careful with register_globals
here. If you're going to hit the database every time, which I don't think is
necessary, you only really need that database connection to stay in the
session (If you really want tight security, perhaps include some way to
change session IDs every now and then to avoid session-stealing, but
this comes after make sure passwords are not transmitted as cleartext, etc.)
I can only use http. Can any body recommend good way of transmitting the
passwords?