Cryptography: JavaScript MD5: Login System
Paj’s Home: Cryptography: JavaScript MD5: Login System
Hmm… thought in my head.
Server
$Server_Pass_Hash // Server has a hash of the users password, retrieved from a database.
var $Date = now(); // Current date as of the moment now()
Server sends the $Date to the client browser.
Client side
Client types in the password in an <input type=”password”> box. $Client_Password.
use a JS function called Hash(value) to generate a hash.
$temp = Hash($Client_Password);
$Client_Hashed_password = Hash($temp + $Date);
Send both back to server.
$Client_Hashed_password
$Date
Sever checks to see if the $Date is less than 2 minutes old (or whatever). If bad, redo, else…
Server computes
$chk = Hash ($Server_Password_Hash + $Date);
if ($chk == $Client_Hashed_password)
//then allow into the system, via a session ID.
[update]
After typing the above, it scares me a little to know that I can have a coherant thought like that. The flow works.
Oh yeah, this should maintain a login IP, and only that login IP shall be able to access that session. Avoid injection/capture attacks.