 |  |  |  |  |  |  |  |
Login System
Please support our PHP advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases
 |
•
•
Join Date: Nov 2008
Posts: 91
Reputation: 
Solved Threads: 9
Junior Poster in Training
•
•
•
•
Originally Posted by kkeith29 
why are you using javascript at all in the login process? I mean, only use it for basic validation not hashing. That in itself is a security flaw because attackers can see how you are encrypting a password, which helps them to crack it.
What if a user has javascript turned off? Then what. You should have php handle everything.
•
•
•
•
Originally Posted by brechtjah
I use javascript for client side hashing before the data is posted because I read somewhere that the postback or something could be hacked. I don't have the link on me but I might find it
Things may be hacked, but you are basically giving the user the key to a door.. Rather than having to work out what you are doing to a string, they know exactly what is happening.
Also, some people have javascript off, meaning that the string will not be hashed.
You can do the same thing in PHP, much more secure to do it that way as the end user should then never find out what you are doing.
AJAX is not a programming language, scripting language or any other sort of language.
It is acheived by using JavaScript http functions.
So, AJAX = JavaScript.
It is acheived by using JavaScript http functions.
So, AJAX = JavaScript.
•
•
Join Date: Nov 2008
Posts: 91
Reputation:
Solved Threads: 9
Junior Poster in Training
http://www.google.nl/search?hl=nl&c2...G=Zoeken&meta=
This is the link that is mentioned in a thread about postback hacking. It's a dutch thread so I'll just say what's mentioned there:
"Hackers are able to intercept data you send to the server. If they get to intercept the postback (see notes) then the password is openly in front of them. How do we solve this? By hashing the password on the client."
I guess that it's a downside that the method of encryption is visible, however, all they have is the encryption method and the encrypted password. And to decrypt it, that's another something.
My intentions are not to make you feel bad about your post, I'm just explaining why I used the javascript method. According to the thread I used about login systems; which method would you use? I don't know anything about this stuff that's why I looked it up. Maybe you can elaborate on how I'm giving them a key.
And the login will just require javascript to be turned on, if not they will get a message saying it's not.
Anyway, thanks for all the replies, hope to get one soon again.
This is the link that is mentioned in a thread about postback hacking. It's a dutch thread so I'll just say what's mentioned there:
"Hackers are able to intercept data you send to the server. If they get to intercept the postback (see notes) then the password is openly in front of them. How do we solve this? By hashing the password on the client."
I guess that it's a downside that the method of encryption is visible, however, all they have is the encryption method and the encrypted password. And to decrypt it, that's another something.
My intentions are not to make you feel bad about your post, I'm just explaining why I used the javascript method. According to the thread I used about login systems; which method would you use? I don't know anything about this stuff that's why I looked it up. Maybe you can elaborate on how I'm giving them a key.
And the login will just require javascript to be turned on, if not they will get a message saying it's not.
Anyway, thanks for all the replies, hope to get one soon again.
•
•
Join Date: Jun 2007
Posts: 1,227
Reputation:
Solved Threads: 167
If you have information before hand, it makes tasks easier, right? If a hacker knows how you hashed a password, then it makes it easier for them to get around it. The less they know, the harder it is to hack something.
I have actually never seen anything where a hacker has intercepted a http request. Its never been a major issue and my Internet Security Officer at work would make us prevent against it, if it was a viable threat.
If you are so worried, look into secure socket layer protection (ssl). It encrypts all data between the server and the client. Never use js to hash anything. I understand why you are doing it, but if a user disables javascript, the hacker can see the plain text password anyway. Its not going to help out much.
I really don't recommend making a user have javascript enabled to login. There are actually a lot of people that disable js when they login to a website. It helps prevent hackers to run malicious scripts to steal and change your data in an account. This is known as CSRF or XSRF. It is good practice to do this.
You should turn your focus to hashing the password on the php side of things. No one can change that.
As for other security factors you should look into, you might want to use a token system and timed forms. These help with CSRF.
I have actually never seen anything where a hacker has intercepted a http request. Its never been a major issue and my Internet Security Officer at work would make us prevent against it, if it was a viable threat.
If you are so worried, look into secure socket layer protection (ssl). It encrypts all data between the server and the client. Never use js to hash anything. I understand why you are doing it, but if a user disables javascript, the hacker can see the plain text password anyway. Its not going to help out much.
I really don't recommend making a user have javascript enabled to login. There are actually a lot of people that disable js when they login to a website. It helps prevent hackers to run malicious scripts to steal and change your data in an account. This is known as CSRF or XSRF. It is good practice to do this.
You should turn your focus to hashing the password on the php side of things. No one can change that.
As for other security factors you should look into, you might want to use a token system and timed forms. These help with CSRF.
|
Similar Threads
- PHP Login System w/ 5 Levels of Security (Show Off your Projects)
- Website Login (ASP.NET)
- member login system in php (PHP)
- Login System Help (Visual Basic 4 / 5 / 6)
- Simple Login System: Need Advice. (PHP)
- Trying to create a login system (PHP)
- Consultant Infomation System (Visual Basic 4 / 5 / 6)
Other Threads in the PHP Forum
- Previous Thread: Need help to Delete all button for all checkboxes...
- Next Thread: timeout if page is inactive
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest PHP Posts
- Today's Posts
- Unanswered Threads
.htaccess alerts apache api archive array autocomplete beginner binary broken cakephp checkbox class cms code convert cron curl database dataentry date display duplicates dynamic echo email emptydisplayvalue error execute explodefunction file files firstoptioninphpdroplist folder form forms function functions google hack href htaccess html htmlspecialchars image include insert ip javasciptvalidation javascript joomla keywords limit link login mail matching menu methods mlm multiple mysql network object oop paypal pdf php problem query radio random recursion recursive redirect remote script search securephp server sessions shot sms source space sql subscription syntax system table tutorial tutorials update upload url validator variable video web youtube
