Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy. This forum is not for asking programming related questions.
Has anyone ever successfully used a public key encryption library in JavaScript/PHP and used it to implement a poor mans SSL?
I want users to login but the login.php script is in the same directory as the root of the site. Obviously I don't want SSL protection on page request but strictly for that single file.
Can SSL be used on a single file despite residing in a directory which houses other (non-SSL required) pages?
Edit: If you have used a JavaScript/PHP combo library please also indicate the URL so I can quickly and easily download it and begin using it, thanks
Look at Challenge-Response authentication. I belive there was once a thread created here about it. You can easily do challenge-reponse with JS/PHP. Essentially:
1. Server produces a unique string (based on time and hostname maybe?) then adds it to a session var
2. Unique string sent to client as a challenge (hidden text field should suffice, it doesn't have to be secret)
3. Client reads user's password then combines it with the challenge, before finally hashing it, MD5 and sending only the hash back to the server (response)
4. Server performs the equiavelent hashing algorithm using the challenge it stored in the session and sees if it matches the response. If so, success.
It's just a basic way to eliminate plain-text passwords being sent. Easy to implement too.
d11wtq wrote:Look at Challenge-Response authentication. I belive there was once a thread created here about it. You can easily do challenge-reponse with JS/PHP. Essentially:
1. Server produces a unique string (based on time and hostname maybe?) then adds it to a session var
2. Unique string sent to client as a challenge (hidden text field should suffice, it doesn't have to be secret)
3. Client reads user's password then combines it with the challenge, before finally hashing it, MD5 and sending only the hash back to the server (response)
4. Server performs the equiavelent hashing algorithm using the challenge it stored in the session and sees if it matches the response. If so, success.
It's just a basic way to eliminate plain-text passwords being sent. Easy to implement too.
Yea I remember that article by Maurgrim...only glanced over it though...didn't really get the point but you cleared that up nicely.
Thanks, I'll look into it.
Edit: After some more research sounds like SSL is the way to go. I really hate those dialog confirmation boxes but it sounds like you can generate your own self-signed certificate, in which case that dialog wouldn't popup.
I can move the script to a sub domain like: https://login.domain.com and that should work nicely.
Why wouldn't you just go to GoDaddy and get a real SSL cert for like $17 and put that up. If you are really not concerned about security to the point that you are willing to roll your own cert.
And SSL typically runs out of port 443, not port 80, so there is usually a virtual server setup for *:443 that houses the secure files, so I don't think technically secure and insecure document would live in the same tree directory unless you point *:80 and *:443 to the same directory, which in my opinion you should not do.
I thought a signed cert. was simply to avoid that dialog popup and if someone checked it would be from a recognized "provider"?
In this case, it's simply to login users to an admin panel for their web sites. No need for validity in cert. names I just want to secure the connection for my servers own well being...
Hockey wrote:I want users to login but the login.php script is in the same directory as the root of the site. Obviously I don't want SSL protection on page request but strictly for that single file.
Can SSL be used on a single file despite residing in a directory which houses other (non-SSL required) pages?
Huh?!? No "protection" on the request, but "protection" on a file?!? What the heck are you talking about?!? And what does "protection" mean?
HTTPS is a scheme to transport HTTP over SSL. Because it is a scheme you specify in the URI which transport you want. That means one file/page or any mix. Stop trying to implement your own Protect-O-nator and configure you web server for HTTPS -- it is really easy to do and can be done for free. Good grief!