Leon's Weblog

October 28, 2009

PHP Authentication Over Unsecured Internet Connection

Filed under: Software Dev — Leon @ 7:50 pm

When I wrote my earlier article on Managing Users in a PHP Web Application, I neglected to mention that the authentication mechanism is only acceptable when users are connected over a secure connected (HTTPS) or are on a trusted network (such as a corporate intranet). We went through great lengths ensuring that the passwords are stored securely in the database and that the site is not susceptible to SQL injection or XSS techniques. However, when the login form is submitted over an unsecured internet connection the password is sent back to the server in plain text. Anyone lurking on the network can easily get the login credentials using a network sniffer such as Wireshark. The solution to this problem is to hash the password using MD5 on the client side prior to submitting the login page. This is similar to how we hashed the password stored in the database to prevent people with access to the table from viewing users’ passwords.

The following article goes over the technique of securing client-side passwords using a JavaScript implementation of MD5. The key to take away from the article (besides the JavaScript code for MD5) is that the user’s password is hashed and submitted in hashed form only. In my case, I simply replace the clear text password with the hashed version prior to submitting the login form. This is the only change required to the login form code implemented in the previous article.

<input onclick="document.form.txtPW.value=MD5(document.form.txtPW.value)" name="Login" type="submit" value="Login" />

Note that this solution will only work if the client has JavaScript enabled on their browser. You can use FireBug’s network panel to verify that the clear-text password is not transmitted.

October 19, 2009

Transferring Linux Server to a 1&1 Shared Host

Filed under: Personal,Software Dev — Leon @ 1:40 am

Recently, I was forced to relocate my Linux server so I decided to try out 1&1’s Shared Web Hosting package. This option was a lot cheaper then paying collocation fees at a server farm and provided a solution that is a bit easier to maintain. The challenge was setting up the environment to have the same functionality that I used to have on the LAMP server in 1&1’s restricted environment. I’ll describe some of the challenges and solutions bellow. This is a follow-up to an earlier guide that I wrote on Configuring a 1&1 Shared Host. (more…)