Comments on: PHP Authentication Over Unsecured Internet Connection http://www.lbsharp.com/wordpress/index.php/2009/10/28/php-authentication-over-unsecured-internet-connection/ Just another WordPress weblog Mon, 30 Aug 2010 16:36:36 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: leon http://www.lbsharp.com/wordpress/index.php/2009/10/28/php-authentication-over-unsecured-internet-connection/comment-page-1/#comment-32366 leon Fri, 11 Dec 2009 18:30:45 +0000 http://www.lbsharp.com/wordpress/?p=48#comment-32366 You are absolutely right, kebet. This does not prevent replay attacks as you described. To fix this, the client would have to send back a hashed value of the clear text password appended to their unique session id. This complicated things a bit because we don't want to store clear text passwords in the database either. I prefer storing a hash of the user's clear text password appended to their user name to prevent dictionary attacks on the users table. So to authenticate, the client would have to calculate the following: MD5( MD5(clear_pw + name) + session_id ) Of course forcing connections to use HTTPS is a lot easier. You are absolutely right, kebet. This does not prevent replay attacks as you described. To fix this, the client would have to send back a hashed value of the clear text password appended to their unique session id. This complicated things a bit because we don’t want to store clear text passwords in the database either. I prefer storing a hash of the user’s clear text password appended to their user name to prevent dictionary attacks on the users table. So to authenticate, the client would have to calculate the following:

MD5( MD5(clear_pw + name) + session_id )

Of course forcing connections to use HTTPS is a lot easier.

]]> By: kebet http://www.lbsharp.com/wordpress/index.php/2009/10/28/php-authentication-over-unsecured-internet-connection/comment-page-1/#comment-32355 kebet Fri, 11 Dec 2009 09:50:46 +0000 http://www.lbsharp.com/wordpress/?p=48#comment-32355 This is not a secure solution since anybody, who would be able to catch plain text password, will catch the hash. And authenticate himself by sending it directly to server (by using firebug to modify form or by simply writing his own form). Did I miss something? This is not a secure solution since anybody, who would be able to catch plain text password, will catch the hash. And authenticate himself by sending it directly to server (by using firebug to modify form or by simply writing his own form).

Did I miss something?

]]>