Reply to Re: Proposal for Lite Encryption for Login Form without SSL — PHP Programming Language

Posted by Willem Bogaerts on 10/01/07 09:30

Google for "challenged authentication".

The idea is this:
The server asks a question that can only be answered if you know the
password.

The server could send the client an arbitrary word that the client
should hash, using the password as salt. This salted hash is then sent
to the server for verification.

Store the generated word in the session and clear it upon successful
login. This ensures you can only login once if someone monitors the
network traffic and the pre-login session. (You DO regenerate the
session upon successful login, don't you?)

Good luck,
--
Willem Bogaerts

Application smith
Kratz B.V.
http://www.kratz.nl/

[Back to original message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация