|
|
Posted by shimmyshack on 03/27/07 14:38
On 27 Mar, 13:54, Erwin Moller
<since_humans_read_this_I_am_spammed_too_m...@spamyourself.com> wrote:
> shimmyshack wrote:
> > On 26 Mar, 15:35, "shimmyshack" <matt.fa...@gmail.com> wrote:
> >> On 26 Mar, 13:29, "sathyashrayan" <asm_f...@yahoo.co.uk> wrote:
>
> >> > On Mar 26, 4:59 pm, Erwin Moller
>
> >> > <since_humans_read_this_I_am_spammed_too_m...@spamyourself.com> wrote:
> >> > > sathyashrayan wrote:
> >> > > > Dear group,
>
> >> > > > For a log-in page I have created a mysql db and user
> >> > > > registers
> >> > > > with a user name and password. The password field is encrypted with
>
> >> > > > $passwd = sha1($_REQUEST['passwd']);
>
> >> > > > I insert the $passwd in mysql_insert. The password gets
> >> > > > encrypted and stored in mysql. Now I want to check if the user has
> >> > > > entered the correct password when he logs in. How can I do that.
> >> > > > Any help is appreciated. Thanks in advance.
>
> >> > > How?
> >> > > Compare them of course.
> >> > > The fact that the password is encrypted doesn't make it something
> >> > > else than a string of bits.
>
> >> > > So:
> >> > > supose you have a table with userid and sha1_passwd:
>
> >> > > $passwd = sha1($_REQUEST['passwd']);
> >> > > $SQL = "SELECT userid FROM tblusers where (sha1_passwd =
> >> > > '".$passwd."');";
>
> >> > > Execute it and see if it has a result. If not, no good password, if
> >> > > so, you have the userid.
>
> >> > > Regards,
> >> > > Erwin Moller
>
> >> > This way?
>
> >> > <?php
> >> > $sha = sha1("sathya"); /*$sha to be inserted in db*/
>
> >> > $new = $sha; /*save the passwd localy*/
>
> >> > if($new === $sha)
> >> > echo "correct";
> >> > else
> >> > echo "wrong";
> >> > ?>
>
> >> erwin just gave your answer.
>
> >> registration stage
> >> get user's password at registration - you should do this securely
> >> using SSL.
> >> hash and store in database = sha1(users_plaintext_password)
>
> >> login stage
> >> 1. create a random string and store in session on server,
> >> 2. send login form with username, password, and random string
> >> 3. when user enters password, set password field to
> >> sha1( sha1(users_plaintext_password)+random string ), and post form
>
> >> auth stage
> >> server computes sha1( users_hashed_password_in_database +
> >> $_SESSION['random_string'] )
>
> >> if $_POST['password'] ==
> >> sha1( users_hashed_password_in_database + $_SESSION['random_string'] )
>
> >> then OK, else not.
>
> > Sorry Erwin.
>
> Hey! Don't appologize!
> Your explanation was a lot better and clearer than my short vague response.
> :-)
> I didn't even mention a random string. ;-)
>
> Regards,
> Erwin
>
> I should add, that I was assuming that "The password
>
> > field is encrypted with" meant that he initially used javascript to
> > hash the password client side, however on rereading - it doesnt appear
> > to be the case, so in this case job done, he should just run your code!
cool, and of course I forgot to mention that the point of this random
string is to be used as a one-time-pad after the login attempt is
should be expired immediately from the session, and a new form with
new random_string sent and stored in session. this prevents passive
man-in-the-middle attempts to login after you.
You could remove the random_string from the session only after
successful login, but then that would allow the passive guy to grab
your mispelt password, adjust it and try again, (s/he is probably on
your LAN and could know enough to guess the typo) so sending a new one-
time-pad with each login form is best.
It works of course because the server has to compare
if $_POST['password']
with
sha1( users_hashed_password_in_database +
$_SESSION['random_string'] )
so if the random string has gone each time, then the server cannot
compute the same value for
users_hashed_password_in_database + $_SESSION['random_string']
as was sent by user
Remember though, this method just protects the login, if you then use
the presense of the session ID as an "authentication token" anyone
could grab that and replay it, piggybacking on your session.
Piggybacking testing can be fun though, I run a free wireless node
which is unencrypted, and friends and neighbours are happy to know we
can all piggyback if we can sniff the network and adjust the cookies -
it is simply AMAZING how many sites trust the presense of a particular
session id to proove that the user has authenticated and should have
access. It is hard to do prevent this without SSL though, so perhaps
it's just prohibitive dev/cert cost, which is where:
http://www.cacert.org/
comes in!
Navigation:
[Reply to this message]
|