Securing My Clients Password?¿?¿

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
williery10
Forum Newbie
Posts: 15
Joined: Thu Feb 20, 2003 4:23 am

Securing My Clients Password?¿?¿

Post by williery10 »

Hi there,
I´m trying to find a way to secure some of the pages on my wesite. I was going to use a user/password entry page and store the clients password in a session variable so that access can be given to the client for these pages but not to anyone else. I thought this was great until I read that when a password is passed from the client to the webserver via a html password field in a form that it is encrypted using a stanard encryption algorythm so if it was intercepted by anyone then it could easily be decoded by some hacker monitoring the tranmission.

How can I secure this password on the client side using php (or any other means that are free or quite cheap) from anybody monitoring the transmision.

Anyhelp with this would be fantasic.

Williery :(
User avatar
daven
Forum Contributor
Posts: 332
Joined: Tue Dec 17, 2002 1:29 pm
Location: Gaithersburg, MD
Contact:

Post by daven »

try md5(). It creates a hash of the password, which is pretty impossible to reverse. Note: there is no way to decrypt the password.

To use md5(), try the following scheme:

1. user registers & chooses password
2. on client-side, use a Javascript md5 routine (they are out there, just google for one).
3. Insert username & md5'd password into database
4. when user logs in, md5 the password and compare it to the one in the dtabase

I would advise against storing the password in a session variable regardless, however. I tend to store the username (and lots of other stuff) in session-variables, but I only use the password to authenticate logins.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

if the md5-hash is valid as password you've gained nothing.
see also: viewtopic.php?t=3168
DocSeuss
Forum Newbie
Posts: 10
Joined: Sat Mar 29, 2003 3:28 am

Post by DocSeuss »

a popular method is once the login is verified is to use sessions as a protective measure, remember I said it was popular and not 100% secure. If you have reason to believe someone is snooping your traffic they could "hi-jack" the session and gain access.
another option is the good old .htaccess if you don't have control of the httpd.conf of apache if you have config access use apache's config to protect the required directorys as .htaccess can put strain on your system if you have a few hundred users.
Post Reply