Posted by Jerry Stuckle on 03/30/07 02:47

Ben wrote:
> "shimmyshack" <matt.farey@gmail.com> wrote in message
> news:1175208366.040091.161750@l77g2000hsb.googlegroups.com...
>> On 29 Mar, 23:06, "Ben" <nos...@thankyou.com> wrote:
>>> Hello, I'll bet this has been asked a million times but I can't seem to
>>> find
>>> a thread that gives the clear example I need.
>>>
>>> This PC has MySQL and IIS configured and running. The MySQL database is
>>> "myDB" with a table "myUsers" with fields "Username" and "Password". I
>>> also
>>> have the MySQL ODBC driver loaded with a DSN "dsnMySQL" setup.
>>>
>>> First question is can someone direct me to a site or provide a sample
>>> code
>>> for a login page that prompts for user/password then either displays a
>>> message "Login Succeeded!" or "Login Failed!"
>>>
>>> Second, how do I prevent users from bypassing the login? Session
>>> variable
>>> right? Need instructions on how to implement that.
>>>
>>> Lastly, what is the best, maybe I should word that differently, the most
>>> commonly used method for login encryption? I would like the password
>>> text
>>> physically in the DB to be encrypted text that is decrypted through the
>>> login process.
>> I'll deal with this only because it is something that I can just copy
>> and paste from a few entries on this newsgroup in the last few days,
>> the rest I'll leave to google.
>> you can get javascript sha256 (sha2)so why not use that.
>>
>>
>>> Ok, that'll get me through step 1. Any help appreciated.
>>>
>>> =B
>>
>> firstly changing/registering the password should only be done over
>> SSL, unless you can use one of the js asymmetric encryption
>> implementations that are doing the rounds. [hee hee]
>>
>> so registration stage:
>> get user's password at registration - you should do this securely
>> using SSL.
>> hash and store in database = sha256(users_plaintext_password)
>>
>>
>> but anyway logging in:
>>
>>
>> login stage
>> 1. create a random string and store in session on server,
>> 2. send login form with username and password fields, and random
>> string as javascript var that will be sued later by function that
>> submits form.basi
>> 3. when user enters password, set password field to
>> sha256( sha256(users_plaintext_password)+random string ), and post
>> form
>>
>> auth stage
>> server computes sha256( users_hashed_password_in_database +
>> $_SESSION['random_string'] )
>> remove the random string immediately from the session using
>> $_SESSION['random_string'] = '',
>>
>> if $_POST['password'] ==
>> sha256( users_hashed_password_in_database +
>> $_SESSION['random_string'] )
>>
>> then OK, redirect to their destination which has a file at the top
>> requiring authentication
>>
>> else they made an invalid attempt, redirect back to login script,
>> setting new random_string which is sent along with login form and also
>> stored in session.
>>
>> Usually databases tend to use md5() or sha1() I think that has
>> commonly been because more secure hashes werent around in javascript
>> (and becasue the defacto mysql uses PASSWORD() which I think is a
>> euphemism for md5() ) but now that there are secure ways, and you dont
>> have to use PASSWORD() anyway, stick to something like sha2, there
>> have been noises about problems with md5 but as with all such noises,
>> if you wanted to be secure you would sheel out for an SSL cert, or
>> pick one up from cacert.org for nothing.
>>
>> When your users have logged in, set a new session, with a new session
>> ID, and try not to simply use the presence of the session id with that
>> value as the determining factor as to whether they have logged in or
>> not, after all someone could grab the session id and replay it. The
>> difficulty here is that if you make it too "secure" using "process or
>> application flow" or a running-one-time-pad for each request the
>> presence of a man-in-the-middle could cause a denial of service to the
>> real user, whose authentication would be invalidation once the mim and
>> user both attempted to replay the same session. Anyway, my advice get
>> yourself a free cert from www.cacert.org (which is fine for
>> encryption) and go get assured and join the web of trust to get your
>> name on it (so it can be used as proof of ownership/id).
>>
>
> We have the cert. Thanks for your info it was helpful. I'm unfamiliar with
> PHP/Java...a VFP programmer actually. Was hoping for something more
> specific. Spent a lot of time at google before posting and found lots of
> info but all pre-coded tools with no walk thru. I'm looking to understand
> what is happening and not just implement someone else's stuff. Lean code
> geared just for a secure login. I'll find it eventually. Thanks again for
> the reply.
>
> =B
>
>

Ben,

Your problem here is that your question is really too broad for a
newsgroup. I can easily spend a full day in lecture/lab on these very
points for instance.

I suggest you look for some PHp and MySQL tutorials for a start. Get a
feel for the language - it is *quite different* than VFP.

Then come back here with specific questions and code you've tried. That
will help us help you.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]