Session tutorial: bring it back!

We know you have an opinion on how things should be run around here. These are suggestions for the forums, and the website.This forum is not a place to ask for suggestions to your own coding (or otherwise) problems.

Moderator: General Moderators

User avatar
tim
DevNet Resident
Posts: 1165
Joined: Thu Feb 12, 2004 7:19 pm
Location: ohio

Session tutorial: bring it back!

Post by tim »

JASON - where did your 'introduction to session' tutorial go? It seems everyday I come across a oppurtunity to point someone to read that. And it would really REALLY help them dip their feet into sessions

I looked in the Wiki, no go

JASON, get your ass to work! :wink: :wink:

uh, please?

=]
Illusionist
Forum Regular
Posts: 903
Joined: Mon Jan 12, 2004 9:32 pm

Post by Illusionist »

hehe, ya i noticed all Tutorials are gone except the header one. Where have they gone?!
User avatar
PrObLeM
Forum Contributor
Posts: 418
Joined: Sun Mar 07, 2004 2:30 pm
Location: Mesa, AZ
Contact:

Post by PrObLeM »

Yea....Where all the white woman...i mean tutorials ...yea tutorials at!
User avatar
tim
DevNet Resident
Posts: 1165
Joined: Thu Feb 12, 2004 7:19 pm
Location: ohio

Post by tim »

Illusionist wrote:hehe, ya i noticed all Tutorials are gone except the header one. Where have they gone?!
\most tuts went to the "Wiki" section

Problem your nasty lol :wink:
Illusionist
Forum Regular
Posts: 903
Joined: Mon Jan 12, 2004 9:32 pm

Post by Illusionist »

The "Wiki" confuses me!
User avatar
tim
DevNet Resident
Posts: 1165
Joined: Thu Feb 12, 2004 7:19 pm
Location: ohio

Post by tim »

i believe its one of those

"dont question just enjoy it" deals ill. lol
Illusionist
Forum Regular
Posts: 903
Joined: Mon Jan 12, 2004 9:32 pm

Post by Illusionist »

:P i try!
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

Illusionist wrote:The "Wiki" confuses me!
What was it that was confusing?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

McGruff wrote:What was it that was confusing?
:roll: Everything ;) Wiki confuses me too... it's just... *looks at his nickname* weird! :D
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

I'll admit to not having visited in a while, but my md5 tutorial is gone from the tutorials section *and* isnt included in the Wiki.

Sup with that?
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

I agree, that Wiki is the worst idea ever, so hard to find anything.

Bring back the tuts

Mark
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

Roja wrote:I'll admit to not having visited in a while, but my md5 tutorial is gone from the tutorials section *and* isnt included in the Wiki.

Sup with that?
We had a database problem a little while back and lost some data.

If you've still got a copy of the md5 tutorial, I'd be very grateful if you could send by PM.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

McGruff wrote:
Roja wrote:I'll admit to not having visited in a while, but my md5 tutorial is gone from the tutorials section *and* isnt included in the Wiki.

Sup with that?
We had a database problem a little while back and lost some data.

If you've still got a copy of the md5 tutorial, I'd be very grateful if you could send by PM.
So wait, I spent an hour writing it, you post it to tutorials, people love it.

You then move it to a wiki, and lose it, and I need to find *my* backup copy?

Sadly, I would, but I dont have a backup copy.. I honestly thought it was 'safe' here.
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

Roja wrote:Sadly, I would, but I dont have a backup copy.. I honestly thought it was 'safe' here.

Thank goat for Google's site-caching. They still have the text of it - albeit the formatting is lost:
Roja's md5 tutorial wrote:
(I would have posted this in the tutorials section, but only moderators can. I'm hoping this can be a single-thread source of md5 information - its a common topic).

What is MD5 or MD5sum?
Its a formula - a way to take a message of an arbitrary length, and create a 128-bit "fingerprint" or "message digest" of the message. MD5 is a way to verify data integrity. On these forums, it comes up fairly often in discussions about storing user passwords and other sensitive data.

Is MD5 encryption?
No. It is simply a one-way fingerprint of the message. It doesn't include the original message, and you can't (generally) use the fingerprint (the md5sum) to 'figure out' the original message.

Okay, so you take a message - like a password - and generate an MD5sum from it.. Can't you brute-force that?
Like any password system, you could attempt to brute force the answer. However, MD5sum's are in a 128-bit space, meaning that to brute force it would take 2^128 attempts - thats over 3 with 38 zeroes after it.

Neat! Thats a lot. Are there any flaws in the algorithm that could speed it up?
A birthday attack is based on the theory that there *might* be *one* md5sum that matches multiple inputs. In theory, it is possible that a "birthday" attack could be possible - two md5sum hashes could be the same. But even then, the total number of brute forces is at 2^64 attempts - still a heck of a lot.

Okay. But couldn't (insert super-sneaky government agency here) build an md5 dictionary, and know what the password was with the md5?
Yes. Its entirely possible. However - it would take some work to do so. For example, just for a dictionary consisting of Alphabet letters (upper and lower), and numbers, there would be 46,656,000,000 entries - all at 32 characters each. Thats over 1 terabyte of data to store and search! It could be done - absolutely. But is it likely?

So its hard to brute force, what about dictionary attacks?
Dictionary attacks are a way of attacking poor passwords - most people use words in their passwords. If you can guess the word - for example, "love", then you can cut down the number of tries it would take. Of course if you guess right, then your # of attacks = 1. However, in general, using common computers as of the writing of this (2003), you can generally get roughly 5 million attacks per second, or fast enough to guess all 8-character Alphanumericals within 497 days.

Thats pretty strong - but is there anything stronger?
A similar method is SHA1 - a more secure 160-bit hashing algorithm. That makes it *much* more secure against brute-force, birthday attacks, and other forms of assault. There are yet more hashing algorithms that are even stronger - but MD5 and SHA1 are both natively supported in the latest PHP, and should be sufficient for most projects.

Allright - I'm sold. Tell me how to use it to store passwords and check them
There are three things we are protecting against - the stored passwords, the transmission of the passwords, and the replay of the password. Each is very different. Lets start with the stored password. We need to take a password, and store it in a variable. Then we need to check that variable against what the user entered:

PHP:


$secret_password = md5("LOVE");
if (md5($_POST['password']) == $secret_password)
{
echo "Correct password";
}
else
{
echo "Incorrect password";
}




Simple enough. However, the password is being sent cleartext in $_POST['password']. Which brings us to another thing to protect against - the cleartext transmission. Thankfully, there is an opensource (GPL'd) javascript MD5 implementation available online. If you use that javascript library to md5 the password before sending it, the server code would look like this instead:

PHP:


$secret_password = md5("LOVE");
if ($_POST['password'] == $secret_password)
{
echo "Correct password";
}
else
{
echo "Incorrect password";
}




Again, fairly simple. However, I mentioned the other problem - replay attacks. If someone could manage to 'sniff' the connection, and capture the md5sum, they could simply use that to login!

The solution to that can be very complex and involved - the same site for the javascript md5 function goes into great detail discussing how to implement a truly secure solution. It's called a "CHAP" login system, and here is a link to his page on it - including complete working PHP and javascript code to implement it.

MD5 is a very useful means to protect user's passwords online - if used correctly. Its not encryption, but it does help prevent whole databases of passwords being compromised.

Good reading:

The PHP manual page for MD5 (http://us3.php.net/manual/en/function.md5.php)
The PHP manual page for SHA1 (similar, but stronger algorithm) (http://us3.php.net/manual/en/function.sha1.php)
RSA's explanation of MD2/4 and MD5 (http://www.rsasecurity.com/rsalabs/faq/3-6-6.html).
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

Well done Patrik! I should have time to restore it over the weekend.

Roja: I do appreciate your effort. It was great to get a good quality tutorial.
Post Reply