and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Hi all..
Recently i downloaded an MD5 script. I am trying to use MD5 to encrypt the password in the login form page. I get a hashed string.That algorithm works perfect. The problem is, how do i send the hashed string back to the login_chk.php ?
[syntax="html"]<form method = "post" action="http://www.mysite.com/login_chk.php" name="frm">
<input type = "text" name="uname"><br>
<input type = "password" name="pass"><br>
<input type = "submit" value="go !" onsubmit="return call_md5()">
</form>
<script>
function call_md5()
{
var pass=document.frm.pass.value;
var md5str = hex_md5(pass);
if(md5str == "")
return false
else
return true
}
</script>
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
onsubmit is a property of the form element, not the input/submit.
There's no point in sending the "plain" md5 hash; it does not improve security. If someone fetches the hash it's just as valid/pressious on your system as the "real" password is.
If you want to improve security you have to add a (random, changing) salt string, like
volka wrote:onsubmit is a property of the form element, not the input/submit.
There's no point in sending the "plain" md5 hash; it does not improve security. If someone fetches the hash it's just as valid/pressious on your system as the "real" password is.
If you want to improve security you have to add a (random, changing) salt string, like
Salting it on the clientside would probably defeat the purpose, as you must have the salt visible in plain test within the browser...
I've written a class (based off of Maugrim's tutorial) for implementing the challenge/response pattern for login (assuming it's a pattern Wink)
Unfortunatly, I wrote the class before I had a firmer grasp of OOP practices, I plan on re-factoring it before posting it into coding critique.
Read Maug's tutorial, it's fairly simple and easy to understand, and should be ALOT more secure than the standard way of login forms
I am reading maugrims tutorial.. its nice to know these things tat i was wanting to learn but dont know where to get these.. reading now.. i ll ask u if i hav any further questions..thanks..[/quote]
I have integrated MD5 javascript to my login system. thanks.. hey i got a new problem now. If the JavaScript is disabled in user's browser then i how can we pass the password to the authentication script in a safe manner ?
Hi,
I have come up with JavaScript detection. It detects perfect. This works in PHP_SELF. Now i need to add MD5 and send the hashed password to the the server side in a hidden field to authenticate by login_chk.php. Can someone help me further ? Can this be done ?
function doChallengeResponse() {
str = document.login_form.username.value.toLowerCase() + ":" + sha256_digest(document.login_form.userpass.value) + ":" + document.login_form.challenge.value; //hash the password
document.login_form.userpass.value = ""; //erase password, or it will be sent over the wire
document.login_form.challenge.value = ""; //erase challenge, as you dont want it sent over the wire
document.login_form.response.value = sha256_digest(str); //populate the hidden field with the hash
return false;
}
This is taken from maugrim's tutorial, it uses SHA256, but you should be able to modify it for md5...
I have already integrated the JavaScript MD5 to my login system. But what if the JavaScript is disabled in the user's browser. What I am expecting is that, in the client side itself I will test for JavaScript Enabled/Disabled. If its enabled no problem. If its disabled then I should send the MD5 string not using JavaScript but using another way. What is that another way in the client side to send MD5 string(when JS is disabled) ? understood my situation ?
It's not possible to hash the submission without Javascript. You're just going to have to live with that, or more importantly, your users will. Educate them that having Javascript enabled (at least for login) is more secure. SSL would make it even more secure and is sometimes easier to support and convince people of however.
It's not possible to hash the submission without Javascript. You're just going to have to live with that, or more importantly, your users will. Educate them that having Javascript enabled (at least for login) is more secure. SSL would make it even more secure and is sometimes easier to support and convince people of however.
How can I integrate SSL ? is it free ? Can someone tell me a nice guide on SSL ?
SSL is typically not free. PHP functions almost exactly the same in SSL or not as it really doesn't care. SSL is normally installed or set up by your host.
So does SSL involve any coding in my login.php and login_chk.php ? Or just inform the host to activate SSL? My host says Shared SSL with a Separate Folder. I should have https infront of the login.php. Is that only actually involved ?