Page 1 of 2
login problem
Posted: Thu Sep 14, 2006 11:09 am
by satheshf12000
feyd | Please use Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Hi all..
Recently i downloaded an MD5 script. I am trying to use MD5 to encrypt the password in the login form page. I get a hashed string.That algorithm works perfect. The problem is, how do i send the hashed string back to the login_chk.php ?
[syntax="html"]<form method = "post" action="http://www.mysite.com/login_chk.php" name="frm">
<input type = "text" name="uname"><br>
<input type = "password" name="pass"><br>
<input type = "submit" value="go !" onsubmit="return call_md5()">
</form>
<script>
function call_md5()
{
var pass=document.frm.pass.value;
var md5str = hex_md5(pass);
if(md5str == "")
return false
else
return true
}
</script>
any help would be really appreciated..
feyd | Please use[/syntax]Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Posted: Thu Sep 14, 2006 3:53 pm
by volka
onsubmit is a property of the form element, not the input/submit.
There's no point in sending the "plain" md5 hash; it does not improve security. If someone fetches the hash it's just as valid/pressious on your system as the "real" password is.
If you want to improve security you have to add a (random, changing) salt string, like
Code: Select all
var pass= "xazhkjdo37" + document.frm.pass.value;
Your server-side script must know this salt and use it to create its own md5 hash for comparison.
Posted: Thu Sep 14, 2006 5:19 pm
by nickvd
volka wrote:onsubmit is a property of the form element, not the input/submit.
There's no point in sending the "plain" md5 hash; it does not improve security. If someone fetches the hash it's just as valid/pressious on your system as the "real" password is.
If you want to improve security you have to add a (random, changing) salt string, like
Code: Select all
var pass= "xazhkjdo37" + document.frm.pass.value;
Your server-side script must know this salt and use it to create its own md5 hash for comparison.
Salting it on the clientside would probably defeat the purpose, as you must have the salt visible in plain test within the browser...
I've written a class (based off of
Maugrim's tutorial) for implementing the challenge/response pattern for login (assuming it's a pattern

)
Unfortunatly, I wrote the class before I had a firmer grasp of OOP practices, I plan on re-factoring it before posting it into coding critique.
Read Maug's tutorial, it's fairly simple and easy to understand, and should be ALOT more secure than the standard way of login forms
Posted: Fri Sep 15, 2006 2:23 am
by satheshf12000
Salting it on the clientside would probably defeat the purpose, as you must have the salt visible in plain test within the browser...
I've written a class (based off of Maugrim's tutorial) for implementing the challenge/response pattern for login (assuming it's a pattern Wink)
Unfortunatly, I wrote the class before I had a firmer grasp of OOP practices, I plan on re-factoring it before posting it into coding critique.
Read Maug's tutorial, it's fairly simple and easy to understand, and should be ALOT more secure than the standard way of login forms
I am reading maugrims tutorial.. its nice to know these things tat i was wanting to learn but dont know where to get these.. reading now.. i ll ask u if i hav any further questions..thanks..[/quote]
Posted: Fri Oct 13, 2006 1:08 pm
by satheshf12000
I have integrated MD5 javascript to my login system. thanks.. hey i got a new problem now. If the JavaScript is disabled in user's browser then i how can we pass the password to the authentication script in a safe manner ?
Posted: Fri Oct 13, 2006 1:40 pm
by nickvd
ssl would be the only way assuming javascript is disabled...
Posted: Fri Oct 13, 2006 4:20 pm
by satheshf12000
Hi,
I have come up with JavaScript detection. It detects perfect. This works in PHP_SELF. Now i need to add MD5 and send the hashed password to the the server side in a hidden field to authenticate by login_chk.php. Can someone help me further ? Can this be done ?
Code: Select all
<script>
function jstest()
{
document.frm.t1.value="JavaScript_value";
}
</script>
Code: Select all
<form method="post" name="frm" action="<?php echo $_SERVER['PHP_SELF']; ?>" onsubmit="jstest()">
<input type="hidden" name="t1">
<input type="hidden" name="t2">
<input type="submit" value="Submit">
</form>
<?php
if($_POST['t1']=="")
{
echo "JavaScript Disabled<br>";
}
else
{
echo "JavaScript enabled and value is : ".$_POST['t1']."<br>";
}
?>
Posted: Fri Oct 13, 2006 6:33 pm
by nickvd
This is taken from maugrim's tutorial, it uses SHA256, but you should be able to modify it for md5...
Code: Select all
function doChallengeResponse() {
str = document.login_form.username.value.toLowerCase() + ":" + sha256_digest(document.login_form.userpass.value) + ":" + document.login_form.challenge.value; //hash the password
document.login_form.userpass.value = ""; //erase password, or it will be sent over the wire
document.login_form.challenge.value = ""; //erase challenge, as you dont want it sent over the wire
document.login_form.response.value = sha256_digest(str); //populate the hidden field with the hash
return false;
}
Posted: Fri Oct 13, 2006 7:13 pm
by feyd
Or you could stay with SHA256 and embrace the increased security it offers.

Posted: Fri Oct 13, 2006 7:23 pm
by nickvd
feyd wrote:Or you could stay with SHA256 and embrace the increased security it offers.

Very True!
Posted: Sat Oct 14, 2006 3:04 am
by satheshf12000
This is taken from maugrim's tutorial, it uses SHA256, but you should be able to modify it for md5...
I have already integrated the JavaScript MD5 to my login system. But what if the JavaScript is disabled in the user's browser. What I am expecting is that, in the client side itself I will test for JavaScript Enabled/Disabled. If its enabled no problem. If its disabled then I should send the MD5 string not using JavaScript but using another way. What is that another way in the client side to send MD5 string(when JS is disabled) ? understood my situation ?
Posted: Sat Oct 14, 2006 7:16 am
by feyd
It's not possible to hash the submission without Javascript. You're just going to have to live with that, or more importantly, your users will. Educate them that having Javascript enabled (at least for login) is more secure. SSL would make it even more secure and is sometimes easier to support and convince people of however.
Posted: Sat Oct 14, 2006 7:49 am
by satheshf12000
It's not possible to hash the submission without Javascript. You're just going to have to live with that, or more importantly, your users will. Educate them that having Javascript enabled (at least for login) is more secure. SSL would make it even more secure and is sometimes easier to support and convince people of however.
How can I integrate SSL ? is it free ? Can someone tell me a nice guide on SSL ?
Posted: Sat Oct 14, 2006 7:56 am
by feyd
SSL is typically not free. PHP functions almost exactly the same in SSL or not as it really doesn't care. SSL is normally installed or set up by your host.
Posted: Sat Oct 14, 2006 8:45 am
by satheshf12000
So does SSL involve any coding in my login.php and login_chk.php ? Or just inform the host to activate SSL? My host says Shared SSL with a Separate Folder. I should have https infront of the login.php. Is that only actually involved ?