login problem

JavaScript and client side scripting.

Moderator: General Moderators

satheshf12000
Forum Commoner
Posts: 25
Joined: Mon Sep 04, 2006 5:38 pm

login problem

Post by satheshf12000 »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Hi all..

Recently i downloaded an MD5 script. I am trying to use MD5 to encrypt the password in the login form page. I get a hashed string.That algorithm works perfect. The problem is, how do i send the hashed string back to the login_chk.php ?

[syntax="html"]<form method = "post" action="http://www.mysite.com/login_chk.php" name="frm">
<input type = "text" name="uname"><br>
<input type = "password" name="pass"><br>
<input type = "submit" value="go !" onsubmit="return call_md5()">
</form>

<script>
function call_md5()
{
var pass=document.frm.pass.value;
var md5str = hex_md5(pass);
if(md5str == "")
return false
else
return true

}
</script>
any help would be really appreciated..


feyd | Please use[/syntax]

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

onsubmit is a property of the form element, not the input/submit.

There's no point in sending the "plain" md5 hash; it does not improve security. If someone fetches the hash it's just as valid/pressious on your system as the "real" password is.
If you want to improve security you have to add a (random, changing) salt string, like

Code: Select all

var pass= "xazhkjdo37" + document.frm.pass.value;
Your server-side script must know this salt and use it to create its own md5 hash for comparison.
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

volka wrote:onsubmit is a property of the form element, not the input/submit.

There's no point in sending the "plain" md5 hash; it does not improve security. If someone fetches the hash it's just as valid/pressious on your system as the "real" password is.
If you want to improve security you have to add a (random, changing) salt string, like

Code: Select all

var pass= "xazhkjdo37" + document.frm.pass.value;
Your server-side script must know this salt and use it to create its own md5 hash for comparison.
Salting it on the clientside would probably defeat the purpose, as you must have the salt visible in plain test within the browser...

I've written a class (based off of Maugrim's tutorial) for implementing the challenge/response pattern for login (assuming it's a pattern ;))

Unfortunatly, I wrote the class before I had a firmer grasp of OOP practices, I plan on re-factoring it before posting it into coding critique.

Read Maug's tutorial, it's fairly simple and easy to understand, and should be ALOT more secure than the standard way of login forms
satheshf12000
Forum Commoner
Posts: 25
Joined: Mon Sep 04, 2006 5:38 pm

Post by satheshf12000 »

Salting it on the clientside would probably defeat the purpose, as you must have the salt visible in plain test within the browser...

I've written a class (based off of Maugrim's tutorial) for implementing the challenge/response pattern for login (assuming it's a pattern Wink)

Unfortunatly, I wrote the class before I had a firmer grasp of OOP practices, I plan on re-factoring it before posting it into coding critique.

Read Maug's tutorial, it's fairly simple and easy to understand, and should be ALOT more secure than the standard way of login forms

I am reading maugrims tutorial.. its nice to know these things tat i was wanting to learn but dont know where to get these.. reading now.. i ll ask u if i hav any further questions..thanks..[/quote]
satheshf12000
Forum Commoner
Posts: 25
Joined: Mon Sep 04, 2006 5:38 pm

Post by satheshf12000 »

I have integrated MD5 javascript to my login system. thanks.. hey i got a new problem now. If the JavaScript is disabled in user's browser then i how can we pass the password to the authentication script in a safe manner ?
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

ssl would be the only way assuming javascript is disabled...
satheshf12000
Forum Commoner
Posts: 25
Joined: Mon Sep 04, 2006 5:38 pm

Post by satheshf12000 »

Hi,
I have come up with JavaScript detection. It detects perfect. This works in PHP_SELF. Now i need to add MD5 and send the hashed password to the the server side in a hidden field to authenticate by login_chk.php. Can someone help me further ? Can this be done ?

Code: Select all

<script>
	function jstest()
	{
		document.frm.t1.value="JavaScript_value";
	}
</script>

Code: Select all

<form method="post" name="frm" action="<?php echo $_SERVER['PHP_SELF']; ?>" onsubmit="jstest()">
<input type="hidden" name="t1">
<input type="hidden" name="t2">
<input type="submit" value="Submit">
</form>
<?php
	if($_POST['t1']=="")
	{
		echo "JavaScript Disabled<br>";
				
	}
	else
	{
		echo "JavaScript enabled and value is : ".$_POST['t1']."<br>";
	}
?>
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

This is taken from maugrim's tutorial, it uses SHA256, but you should be able to modify it for md5...

Code: Select all

      function doChallengeResponse() {
         str = document.login_form.username.value.toLowerCase() + ":" + sha256_digest(document.login_form.userpass.value) + ":" + document.login_form.challenge.value; //hash the password

         document.login_form.userpass.value = ""; //erase password, or it will be sent over the wire
         document.login_form.challenge.value = ""; //erase challenge, as you dont want it sent over the wire

         document.login_form.response.value = sha256_digest(str); //populate the hidden field with the hash
         return false;
      }
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Or you could stay with SHA256 and embrace the increased security it offers. :)
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

feyd wrote:Or you could stay with SHA256 and embrace the increased security it offers. :)
Very True!
satheshf12000
Forum Commoner
Posts: 25
Joined: Mon Sep 04, 2006 5:38 pm

Post by satheshf12000 »

This is taken from maugrim's tutorial, it uses SHA256, but you should be able to modify it for md5...
I have already integrated the JavaScript MD5 to my login system. But what if the JavaScript is disabled in the user's browser. What I am expecting is that, in the client side itself I will test for JavaScript Enabled/Disabled. If its enabled no problem. If its disabled then I should send the MD5 string not using JavaScript but using another way. What is that another way in the client side to send MD5 string(when JS is disabled) ? understood my situation ?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It's not possible to hash the submission without Javascript. You're just going to have to live with that, or more importantly, your users will. Educate them that having Javascript enabled (at least for login) is more secure. SSL would make it even more secure and is sometimes easier to support and convince people of however.
satheshf12000
Forum Commoner
Posts: 25
Joined: Mon Sep 04, 2006 5:38 pm

Post by satheshf12000 »

It's not possible to hash the submission without Javascript. You're just going to have to live with that, or more importantly, your users will. Educate them that having Javascript enabled (at least for login) is more secure. SSL would make it even more secure and is sometimes easier to support and convince people of however.
How can I integrate SSL ? is it free ? Can someone tell me a nice guide on SSL ?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

SSL is typically not free. PHP functions almost exactly the same in SSL or not as it really doesn't care. SSL is normally installed or set up by your host.
satheshf12000
Forum Commoner
Posts: 25
Joined: Mon Sep 04, 2006 5:38 pm

Post by satheshf12000 »

So does SSL involve any coding in my login.php and login_chk.php ? Or just inform the host to activate SSL? My host says Shared SSL with a Separate Folder. I should have https infront of the login.php. Is that only actually involved ?
Post Reply