I came up with a method I'm sure is in use somewhere else, but I was just wondering if any of you either used this before, or know of any flaws with this method. Right now I'm working on creating a content management system, and wanted to create the most secure method to login over HTTP.
What I came up with is this:
1. User requests the login page
2. Server generates a random string, sets it in $_SESSION
3. This string is sent to the client's browser in a hidden <input /> tag.
4. When the user logs in, two things happen: First, the SHA1 value of their password is calculated. This value is then appended to the random string from the hidden input, and the SHA1 value of that entire string is taken again. (So the string looks like this - password = sha1(sha1(password) + rand_string) - this is all done client-side, with JavaScript.
5. Now the server has three inputs from $_POST - the username, the double-encrypted password, and the random string. The server first locates the administrator username on the user table, then takes the password (stored as an SHA1 value), and adds the random string to it, and gets the SHA1 value (similar to what was done in JavaScript above). Then it's a simple comparison.
6. For some additional security, the value of the random string is also checked against the $_SESSION variable. Each login attempt clears this variable as well - so the user must continually request the form each time.
Question
Breakthrough
I came up with a method I'm sure is in use somewhere else, but I was just wondering if any of you either used this before, or know of any flaws with this method. Right now I'm working on creating a content management system, and wanted to create the most secure method to login over HTTP.
What I came up with is this:
1. User requests the login page
2. Server generates a random string, sets it in $_SESSION
3. This string is sent to the client's browser in a hidden <input /> tag.
4. When the user logs in, two things happen: First, the SHA1 value of their password is calculated. This value is then appended to the random string from the hidden input, and the SHA1 value of that entire string is taken again. (So the string looks like this - password = sha1(sha1(password) + rand_string) - this is all done client-side, with JavaScript.
5. Now the server has three inputs from $_POST - the username, the double-encrypted password, and the random string. The server first locates the administrator username on the user table, then takes the password (stored as an SHA1 value), and adds the random string to it, and gets the SHA1 value (similar to what was done in JavaScript above). Then it's a simple comparison.
6. For some additional security, the value of the random string is also checked against the $_SESSION variable. Each login attempt clears this variable as well - so the user must continually request the form each time.
Thoughts?
Link to comment
Share on other sites
30 answers to this question
Recommended Posts