Javacrypt.com : 1

Main Menu

Home Page

Features

Wiki Pages

List galleries

List Blogs

File galleries

Forums

All articles

Use Case(s)

1. The application owner wants a solution where the user's password is not sent over the wire in plain text.
2. It is also desired to avoid the common weaknesses to session security.
3. The owner wants to be able to run more than one application from his domain and have session isolation.
4. There is a requirement that more than one user can be logged in at a time from the same workstation.
5. There is limited (if any) access to an HTTPS (encrypted session) server.

Table of Contents (click + to expand)

[+]

Introduction

While struggling in my mind with these use case requirements, and after having reviewed several articles on session security, and after a few attempts to improve the utilization of existing session tools, I came upon an idea. The rest of this article is an attempt to document the process while not necessarily being a tutorial on PHP, MySQL or JavaScript you will see how these technologies are used to address many common challenges.

The Idea

The idea is simple. The client receives a random MD5 value from the server (sessionid) and then the client uses it along with their password to create another MD5 that is sent back to the server (authentication key). The server knows the client's password and it knows the random value that was sent to the client. The server calculates an MD5 in the same way as the client did and then compares it with what the client sent. If there is a match the client is authenticated.

Requirements

In order to implement this idea and to address the other requirements listed in the heading I have utilized some specific browser technology. DHTML (dynamic html), the XMLHttpRequest object, the sessionStorage object and Frames have been utilized. The solution documented in the remainder of this article has been tested on a server using PHP Version 5.2.6, Apache/2.2.3 (Linux/SUSE) and MySQL 5.0.26. Browsers tested include Firefox 3.0.1 and 3.0.13 as well as Internet Explorer 8.

Sample project

This project for the purpose of developing and demonstrating the authentication process will provide access to a few protected pages upon successful login. Authorization has been split out from Authentication and is left for future implementation as it would provide needless complication at this point.

To get you started you can access the working sample project I've called "Case 1" with the following link.
Sample Project
You can login using a username of admin and a password of admin.

Source Files

The test case source files are available for download. The first zip is a copy of my working code from a Linux box. The second zip is a copy of the same files but saved with CRLF line termination for Windows viewers. You will want to have the source files available for comparison while working through the discussion in the article.

case1.zip (24 Kb)
case1win.zip (24 Kb)
Last updated Sept 16, 2009 to fix mistake in login.php refresh recovery

page:1/10

Last articles

1)	PHP / MYSQL / Authentication
2)	Form Encryption Crypt30a
3)	File Archive and Cleanup using Perl
4)	EMail Error Messages in Perl
5)	CUPS - Common Unix Printing System - My Perl Scripts and Batch Projects

Last blog posts

1)	Admin Log: Articulation Wed 17 of Sep, 2008 [15:16 UTC]
2)	Admin Log: establish Wed 14 of May, 2008 [17:09 UTC]
3)	Admin Log: Initialize... Wed 07 of May, 2008 [18:52 UTC]

Last forum topics

1)	Bugs: Acrobat Feature

Top Images

1)	Bismarck
2)	perlmodules.pl screenshot
3)	basic_auth_use_case
4)	db_tables_auth_uml.JPG
5)	index_dynamic_framecode.jpg

Wiki

Blogs

Articles