|
|
Posted by shimmyshack on 03/29/07 22:46
On 29 Mar, 23:06, "Ben" <nos...@thankyou.com> wrote:
> Hello, I'll bet this has been asked a million times but I can't seem to find
> a thread that gives the clear example I need.
>
> This PC has MySQL and IIS configured and running. The MySQL database is
> "myDB" with a table "myUsers" with fields "Username" and "Password". I also
> have the MySQL ODBC driver loaded with a DSN "dsnMySQL" setup.
>
> First question is can someone direct me to a site or provide a sample code
> for a login page that prompts for user/password then either displays a
> message "Login Succeeded!" or "Login Failed!"
>
> Second, how do I prevent users from bypassing the login? Session variable
> right? Need instructions on how to implement that.
>
> Lastly, what is the best, maybe I should word that differently, the most
> commonly used method for login encryption? I would like the password text
> physically in the DB to be encrypted text that is decrypted through the
> login process.
I'll deal with this only because it is something that I can just copy
and paste from a few entries on this newsgroup in the last few days,
the rest I'll leave to google.
you can get javascript sha256 (sha2)so why not use that.
>
> Ok, that'll get me through step 1. Any help appreciated.
>
> =B
firstly changing/registering the password should only be done over
SSL, unless you can use one of the js asymmetric encryption
implementations that are doing the rounds. [hee hee]
so registration stage:
get user's password at registration - you should do this securely
using SSL.
hash and store in database = sha256(users_plaintext_password)
but anyway logging in:
login stage
1. create a random string and store in session on server,
2. send login form with username and password fields, and random
string as javascript var that will be sued later by function that
submits form.
3. when user enters password, set password field to
sha256( sha256(users_plaintext_password)+random string ), and post
form
auth stage
server computes sha256( users_hashed_password_in_database +
$_SESSION['random_string'] )
remove the random string immediately from the session using
$_SESSION['random_string'] = '',
if $_POST['password'] ==
sha256( users_hashed_password_in_database +
$_SESSION['random_string'] )
then OK, redirect to their destination which has a file at the top
requiring authentication
else they made an invalid attempt, redirect back to login script,
setting new random_string which is sent along with login form and also
stored in session.
Usually databases tend to use md5() or sha1() I think that has
commonly been because more secure hashes werent around in javascript
(and becasue the defacto mysql uses PASSWORD() which I think is a
euphemism for md5() ) but now that there are secure ways, and you dont
have to use PASSWORD() anyway, stick to something like sha2, there
have been noises about problems with md5 but as with all such noises,
if you wanted to be secure you would sheel out for an SSL cert, or
pick one up from cacert.org for nothing.
When your users have logged in, set a new session, with a new session
ID, and try not to simply use the presence of the session id with that
value as the determining factor as to whether they have logged in or
not, after all someone could grab the session id and replay it. The
difficulty here is that if you make it too "secure" using "process or
application flow" or a running-one-time-pad for each request the
presence of a man-in-the-middle could cause a denial of service to the
real user, whose authentication would be invalidation once the mim and
user both attempted to replay the same session. Anyway, my advice get
yourself a free cert from www.cacert.org (which is fine for
encryption) and go get assured and join the web of trust to get your
name on it (so it can be used as proof of ownership/id).
Navigation:
[Reply to this message]
|