Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?

Re: Securing Web Apps.

by freddo411 (Chaplain)
on Nov 12, 2003 at 19:19 UTC ( #306604=note: print w/replies, xml ) Need Help??

in reply to Securing Web Apps.

Perhaps this is obvious, but you must run this through https otherwise the username/passwd would be in the clear on the wire....

Nothing is too wonderful to be true
-- Michael Faraday

Replies are listed 'Best First'.
Re: Re: Securing Web Apps.
by jdtoronto (Prior) on Nov 12, 2003 at 19:24 UTC
    True, well at least in part. The username would be transmitted as plain text, but the password is inside the MD5 hash returned by the browser - not sent as text. I am not sure of the exact name of this method, but using other data known at both ends we can validate the 'secret' without ever having transmitted it.


      if your challenge of the day is only changed once per day, once an attacker has sniffed the username and hash, those are all they need to get in for the rest of the day. you can improve it somewhat by including the client's IP address in the hash, but this will cause problems if they're behind a proxy, etc. and it still isn't 100% solid because IP addresses can be spoofed.

      the only truly secure way to authenticate over an insecure channel without using encryption is with a zero knowledge proof, but implementing a ZKP is a complex undertaking since it is necessarily interactive and would require sophisticated client-side action. the chances of screwing something up in the implementation and wrecking the security are probably high enough that it's not worth even considering.

      if i were you and i were really concerned about security, i would run everything over https and use basic HTTP authentication. it's simple and about as secure and reliable as you're going to get.

      also, it sounds like you're storing passwords on the server in some unencrypted form. this is almost always a bad idea.

      there's no such thing as perfect security. the best you can do is to make it hard enough to crack that the expense of cracking it would be more than any possible reward that the attacker would get.

        I have played with the basic auth method but the thing that puts me off is that there is no clear cut way to log the user out - as far as I can tell the browser stays authed until it quits.

        Am I missing something here?

        My prefered way to auth is to send the user through a login page and then to set a cookie with the user's name and a token on it. This token is something like "ahe67pnjr8" and is selected at random at the login. To confirm the user the token from the cookie is compared to the token in the database.

        This makes logging out easy as all you need to do is change the token in the database and the user's cookie becomes worthless. Can a similar thing be acheived with basic auth without changing the users password?

        --tidiness is the memory loss of environmental mnemonics

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://306604]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (2)
As of 2022-01-19 07:36 GMT
Find Nodes?
    Voting Booth?
    In 2022, my preferred method to securely store passwords is:

    Results (55 votes). Check out past polls.