Posted by Ben on 03/30/07 01:21

"shimmyshack" <matt.farey@gmail.com> wrote in message
news:1175208366.040091.161750@l77g2000hsb.googlegroups.com...
> On 29 Mar, 23:06, "Ben" <nos...@thankyou.com> wrote:
>> Hello, I'll bet this has been asked a million times but I can't seem to
>> find
>> a thread that gives the clear example I need.
>>
>> This PC has MySQL and IIS configured and running. The MySQL database is
>> "myDB" with a table "myUsers" with fields "Username" and "Password". I
>> also
>> have the MySQL ODBC driver loaded with a DSN "dsnMySQL" setup.
>>
>> First question is can someone direct me to a site or provide a sample
>> code
>> for a login page that prompts for user/password then either displays a
>> message "Login Succeeded!" or "Login Failed!"
>>
>> Second, how do I prevent users from bypassing the login? Session
>> variable
>> right? Need instructions on how to implement that.
>>
>> Lastly, what is the best, maybe I should word that differently, the most
>> commonly used method for login encryption? I would like the password
>> text
>> physically in the DB to be encrypted text that is decrypted through the
>> login process.
>
> I'll deal with this only because it is something that I can just copy
> and paste from a few entries on this newsgroup in the last few days,
> the rest I'll leave to google.
> you can get javascript sha256 (sha2)so why not use that.
>
>
>>
>> Ok, that'll get me through step 1. Any help appreciated.
>>
>> =B
>
>
> firstly changing/registering the password should only be done over
> SSL, unless you can use one of the js asymmetric encryption
> implementations that are doing the rounds. [hee hee]
>
> so registration stage:
> get user's password at registration - you should do this securely
> using SSL.
> hash and store in database = sha256(users_plaintext_password)
>
>
> but anyway logging in:
>
>
> login stage
> 1. create a random string and store in session on server,
> 2. send login form with username and password fields, and random
> string as javascript var that will be sued later by function that
> submits form.basi
> 3. when user enters password, set password field to
> sha256( sha256(users_plaintext_password)+random string ), and post
> form
>
> auth stage
> server computes sha256( users_hashed_password_in_database +
> $_SESSION['random_string'] )
> remove the random string immediately from the session using
> $_SESSION['random_string'] = '',
>
> if $_POST['password'] ==
> sha256( users_hashed_password_in_database +
> $_SESSION['random_string'] )
>
> then OK, redirect to their destination which has a file at the top
> requiring authentication
>
> else they made an invalid attempt, redirect back to login script,
> setting new random_string which is sent along with login form and also
> stored in session.
>
> Usually databases tend to use md5() or sha1() I think that has
> commonly been because more secure hashes werent around in javascript
> (and becasue the defacto mysql uses PASSWORD() which I think is a
> euphemism for md5() ) but now that there are secure ways, and you dont
> have to use PASSWORD() anyway, stick to something like sha2, there
> have been noises about problems with md5 but as with all such noises,
> if you wanted to be secure you would sheel out for an SSL cert, or
> pick one up from cacert.org for nothing.
>
> When your users have logged in, set a new session, with a new session
> ID, and try not to simply use the presence of the session id with that
> value as the determining factor as to whether they have logged in or
> not, after all someone could grab the session id and replay it. The
> difficulty here is that if you make it too "secure" using "process or
> application flow" or a running-one-time-pad for each request the
> presence of a man-in-the-middle could cause a denial of service to the
> real user, whose authentication would be invalidation once the mim and
> user both attempted to replay the same session. Anyway, my advice get
> yourself a free cert from www.cacert.org (which is fine for
> encryption) and go get assured and join the web of trust to get your
> name on it (so it can be used as proof of ownership/id).
>

We have the cert. Thanks for your info it was helpful. I'm unfamiliar with
PHP/Java...a VFP programmer actually. Was hoping for something more
specific. Spent a lot of time at google before posting and found lots of
info but all pre-coded tools with no walk thru. I'm looking to understand
what is happening and not just implement someone else's stuff. Lean code
geared just for a secure login. I'll find it eventually. Thanks again for
the reply.

=B

[Back to original message]