Page 1 of 1

requiring javascript login

Posted: Sun Aug 26, 2007 1:18 am
by s.dot
For the open source application I'm currently working on (and trying to do my best at), I need a secure login routine. More than likely, this application will be ran inside of the directory root, leaving it open to editing by users other than the administrator of the application.

So, a login must be necessary. SSL is not an option. I was thinking using javascript hashing in a login form (very similar to the challenge/response login scheme (without a challenge), so passwords or usernames are never sent over an unecrypted connection in plain text.

Username & password will be stored in a config.php file

Code: Select all

<?php

$config['username'] = 'yourusernamehere';
$config['password'] = 'yourpasswordhere';

?>
So that leaves the username and password in plain text, but (hopefully) only viewable to the administrator of said application.

Thoughts/ideas on an http secure login for an application inside of the document root? Is requiring javascript OK in this circumstance? (IE: don't have a fallback option for users without javascript)

Perhaps a $config['salt'] to make the salt unique to every user would help.

Posted: Sun Aug 26, 2007 5:55 pm
by Ambush Commander
Would this tutorial help?

Posted: Sun Aug 26, 2007 7:14 pm
by s.dot
I've already read that and successfully implimented it lots of times. That's what I'm saying... would it be considered OK to REQUIRE that type of login with no fallback for users without javascript disabled for this type of application.

Posted: Sun Aug 26, 2007 7:17 pm
by Ambush Commander
Unless you implement two-factor authentication, or use public key encryption, JavaScript's basically the only way to simulate SSL.

Posted: Sun Aug 26, 2007 10:15 pm
by ReDucTor
I personally think everyone should have a javascript enabled browser. I decided not long ago, that I'm not going to support any people that arent Javascript enabled its too much work trying to cover everyone, especially if you put alot of the functionality of your site into ajax.

Re: requiring javascript login

Posted: Mon Aug 27, 2007 7:12 am
by stereofrog
scottayy wrote: Thoughts/ideas on an http secure login for an application inside of the document root? Is requiring javascript OK in this circumstance? (IE: don't have a fallback option for users without javascript)
You can also think about using HTTP-Digest authentication

Posted: Mon Aug 27, 2007 3:42 pm
by s.dot
HTTP Digest Authentication seems to be what I'm looking for. I wikipedia'd it and the description is very similar to a javascript challenge/response login -- without the javascript, so that should be good.

I'll look up some tutorials on how to implement it. Thanks.

EDIT|
The HTTP Authentication hooks in PHP are only available when it is running as an Apache module and is hence not available in the CGI version.
I'm looking for a server environment independent solution. So for now it looks like requiring a javascript login is my best bet.

Posted: Mon Aug 27, 2007 4:04 pm
by feyd
ReDucTor wrote:I personally think everyone should have a javascript enabled browser. I decided not long ago, that I'm not going to support any people that arent Javascript enabled its too much work trying to cover everyone, especially if you put alot of the functionality of your site into ajax.
It's not that much work. :roll: