Securest NON-SSL Mechanism for user login ?

**Manuel Lemos** · Jul 17 '05, 12:29 AM

Re: Securest NON-SSL Mechanism for user login ?

Hello,

On 10/11/2003 02:05 PM, 127.0.0.1 wrote:[color=blue]
> Within the bounds of Javascript and pHP, what is the securest login
> mechanism anyone here has come up with.[/color]

You may want to take a look at the example that comes with this class of
a login form that encrypts a password with MD5 and stores it in a hidden
field before the form is submitted.

--

Regards,
Manuel Lemos

Free ready to use OOP components written in PHP

PHP Class Scripts, Tutorials, Remote PHP Jobs January 2026 Openings, PHP Shop, PHP Awards, Professionals, Book reviews, User groups, Forums - PHP Classes

http://www.phpclasses.org/

Free PHP Classes and Objects 2026 Versions with PHP Example Scripts, PHP Tutorials, Download PHP Scripts, PHP articles, Remote PHP Jobs, Hire PHP Developers, PHP Book Reviews, PHP Language OOP Materials

**Manuel Lemos** · Jul 17 '05, 12:29 AM

Re: Securest NON-SSL Mechanism for user login ?

Hello,

On 10/11/2003 04:23 PM, Manuel Lemos wrote:[color=blue]
> On 10/11/2003 02:05 PM, 127.0.0.1 wrote:
>[color=green]
>> Within the bounds of Javascript and pHP, what is the securest login
>> mechanism anyone here has come up with.[/color]
>
>
> You may want to take a look at the example that comes with this class of
> a login form that encrypts a password with MD5 and stores it in a hidden
> field before the form is submitted.[/color]

Shortcut to PHP Forms Class with HTML Generator and JavaScript Validation package page - PHP Classes

http://www.phpclasses.org/formsgeneration

--

Regards,
Manuel Lemos

Free ready to use OOP components written in PHP

PHP Class Scripts, Tutorials, Remote PHP Jobs January 2026 Openings, PHP Shop, PHP Awards, Professionals, Book reviews, User groups, Forums - PHP Classes

http://www.phpclasses.org/

Free PHP Classes and Objects 2026 Versions with PHP Example Scripts, PHP Tutorials, Download PHP Scripts, PHP articles, Remote PHP Jobs, Hire PHP Developers, PHP Book Reviews, PHP Language OOP Materials

**Don Faulkner** · Jul 17 '05, 12:31 AM

Re: Securest NON-SSL Mechanism for user login ?

On Saturday 11 October 2003 12:05 pm, 127.0.0.1 wrote:
[color=blue]
> Within the bounds of Javascript and pHP, what is the securest login
> mechanism anyone here has come up with.
>[/color]

HMAC. Go read RFC 2104 for background
(http://www.rfc-editor.org/rfc/rfc2104.txt)
Next, google for an HMAC implementation in javascript.

In the login form, send down a hidden form field with a random value (place
the same value in the session).

The user types in a username and password. The submit button fires off
javascript that computes digest=HMAC( password, secret ) and submits
SessionID, username, and digest.

Back on the server side, grab the secret out of the session. Look up the
user's password and compute the HMAC using using the server-side info you
have. Then compare the digests.

The neat part about this is that the digest changes every time, so you avoid
replay attacks. The bad part is that somebody has to have cleartext access
to the password. You could argue that you could just MD5 the pass and use
that for HMAC. You'd be right of course, but at that point the MD5 becomes
as good as having the actual password. You want to push the actual server
side HMAC computation as far back as possible. If you're using a database
that supports stored procedures, do it there.
--
Don Faulkner, KB5WPM |
(This space | "All that is gold does not glitter."
unintentionally | "Not all those who wander are lost."
left blank) | -- J.R.R. Tolkien

Securest NON-SSL Mechanism for user login ?

Securest NON-SSL Mechanism for user login ?

Comment

Comment

Comment