requiring javascript login

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

requiring javascript login

Post by s.dot »

For the open source application I'm currently working on (and trying to do my best at), I need a secure login routine. More than likely, this application will be ran inside of the directory root, leaving it open to editing by users other than the administrator of the application.

So, a login must be necessary. SSL is not an option. I was thinking using javascript hashing in a login form (very similar to the challenge/response login scheme (without a challenge), so passwords or usernames are never sent over an unecrypted connection in plain text.

Username & password will be stored in a config.php file

Code: Select all

<?php

$config['username'] = 'yourusernamehere';
$config['password'] = 'yourpasswordhere';

?>
So that leaves the username and password in plain text, but (hopefully) only viewable to the administrator of said application.

Thoughts/ideas on an http secure login for an application inside of the document root? Is requiring javascript OK in this circumstance? (IE: don't have a fallback option for users without javascript)

Perhaps a $config['salt'] to make the salt unique to every user would help.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Would this tutorial help?
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

I've already read that and successfully implimented it lots of times. That's what I'm saying... would it be considered OK to REQUIRE that type of login with no fallback for users without javascript disabled for this type of application.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Unless you implement two-factor authentication, or use public key encryption, JavaScript's basically the only way to simulate SSL.
ReDucTor
Forum Commoner
Posts: 90
Joined: Thu Aug 15, 2002 6:13 am

Post by ReDucTor »

I personally think everyone should have a javascript enabled browser. I decided not long ago, that I'm not going to support any people that arent Javascript enabled its too much work trying to cover everyone, especially if you put alot of the functionality of your site into ajax.
User avatar
stereofrog
Forum Contributor
Posts: 386
Joined: Mon Dec 04, 2006 6:10 am

Re: requiring javascript login

Post by stereofrog »

scottayy wrote: Thoughts/ideas on an http secure login for an application inside of the document root? Is requiring javascript OK in this circumstance? (IE: don't have a fallback option for users without javascript)
You can also think about using HTTP-Digest authentication
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

HTTP Digest Authentication seems to be what I'm looking for. I wikipedia'd it and the description is very similar to a javascript challenge/response login -- without the javascript, so that should be good.

I'll look up some tutorials on how to implement it. Thanks.

EDIT|
The HTTP Authentication hooks in PHP are only available when it is running as an Apache module and is hence not available in the CGI version.
I'm looking for a server environment independent solution. So for now it looks like requiring a javascript login is my best bet.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

ReDucTor wrote:I personally think everyone should have a javascript enabled browser. I decided not long ago, that I'm not going to support any people that arent Javascript enabled its too much work trying to cover everyone, especially if you put alot of the functionality of your site into ajax.
It's not that much work. :roll:
Post Reply