Topics

User Functions

Events

There are no upcoming events

What's New

Stories last 2 weeks

No new stories

Comments last 2 weeks

No new comments

Trackbacks last 2 weeks

No new trackback comments

Links last 2 weeks

No recent new links

NEW FILES last 14 days

No new files

Welcome to Geeklog Thursday, April 17 2014 @ 05:23 PM EDT

The following comments are owned by whomever posted them. This site is not responsible for what they say.

  • Javascript for challenge authenticated logins into geeklog.
  • Authored by:howdy on Thursday, July 08 2004 @ 07:48 AM EDT
Using javascript to create md5 and sha1 hashes is pretty useful to ensure passwords never get sent in the clear when a user logs into a geeklog site.

All one has to do is generate a "salt" on the server end and send it to the user's web browser when they visit your site. When the user types in the login details on the client end and hits "login," the md5/sha1 hashing javascript takes the password, md5 hashes that password, concatenates the md5 hash with the server-generated salt, then sha1 hashes that and sends that sha1 hash to the server. The server then takes the md5 hash of the password it has in the database, concatenates that md5 hash with the salt that it previously sent to the client, generate a sha1 hash out of that, then compare what it generated to what it received from the client. If that matches, the login is considered valid and no plain text exchange of the password occured. Obviously, this isn't as logging into a site via SSL, but it is decent enough. Also, for "replay protection" (to prevent someone from simply sending the same sniffed sha1 hash to login as a particular user again, geeklog must change the salt it sends to the client after a successful login, or after a small timeout period (something like 2 minutes is good).