On Thu, Jun 07, 2001 at 05:06:55PM +0200, Hannu Krosing wrote:
Just sending a hashed value does not make it any more secure, as said hashed value is as easy to sniff as plaintext.
Sorry, I over-simplified my description of the PHPlib scheme. Server: Generate new challenge value. Send login form with challenge value as value of hidden form field. Client: Collect username and password on form. If Javascript enabled, create MD5 hash of password value, create MD5 hash from concatenation of username, MD5-hashed password, and challenge. Save latter hash value in hidden form field. Server: If hidden form field has a value, create MD5 hash from username, password (from database, stored already MD5-hashed), and challenge; compare that value against the one sent by the client to authenticate. If hidden form field has no hash value (client didn't run javascript code), do MD5 hash on clear-text password sent by client and compare against database value for given username to authenticate. -- Fred Yankowski fred@OntoSys.com tel: +1.630.879.1312 Principal Consultant www.OntoSys.com fax: +1.630.879.1370 OntoSys, Inc 38W242 Deerpath Rd, Batavia, IL 60510, USA