Welcome to Geeklog, Anonymous Thursday, June 08 2023 @ 04:50 pm EDT

Comments for Would you use Javascript on your GL site?

Would you use Javascript on your GL site? | 9 comments | Create New Account

The following comments are owned by whomever posted them. This site is not responsible for what they say.

Javascript for challenge authenticated logins into geeklog.

Authored by: howdy on Thursday, July 08 2004 @ 07:48 am EDT

Using javascript to create md5 and sha1 hashes is pretty useful to ensure passwords never get sent in the clear when a user logs into a geeklog site.

All one has to do is generate a "salt" on the server end and send it to the user's web browser when they visit your site. When the user types in the login details on the client end and hits "login," the md5/sha1 hashing javascript takes the password, md5 hashes that password, concatenates the md5 hash with the server-generated salt, then sha1 hashes that and sends that sha1 hash to the server. The server then takes the md5 hash of the password it has in the database, concatenates that md5 hash with the salt that it previously sent to the client, generate a sha1 hash out of that, then compare what it generated to what it received from the client. If that matches, the login is considered valid and no plain text exchange of the password occured. Obviously, this isn't as logging into a site via SSL, but it is decent enough. Also, for "replay protection" (to prevent someone from simply sending the same sniffed sha1 hash to login as a particular user again, geeklog must change the salt it sends to the client after a successful login, or after a small timeout period (something like 2 minutes is good).

Search

Resources

About

Getting started

Support

Development

Topics

User Functions

What's New

Articles last 4 weeks

Comments last 4 weeks

Pages last 4 weeks

Links last 4 weeks

Downloads last 4 weeks