RE: [Phplib-users] Basic authentication
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
RE: [Phplib-users] Basic authentication
|
From: Brian P. <bp...@ct...> - 2002-02-13 18:15:28
|
>>This would not be secure at all for a non-SSL environment
>>and I would prefer a better method even for an SSL environment
>>(cacheing, etc). If I can see the md5 of the password and token,
>>I don't need to see any more.
That's very true.. very true indeed. Although, keeping x tables of tokens
populated on two or more servers seems like a pretty daunting task. I
supposed you could have the tables on both sides automatically regenerate as
they are exhausted using some predetermined algorithm. I guess this is a
much more complicated problem than I originally surmised. Anyone else have
any ideas?
-BPopp
-----Original Message-----
From: Layne Weathers [mailto:la...@if...]
Sent: Wednesday, February 13, 2002 11:43 AM
To: 'Phplib (E-mail)'
Subject: Re: [Phplib-users] Basic authentication
> I would go ahead and have them encrypt the username and
> password somehow before posting it. SSL should protect
> it from being intercepted, but you never know when you
> might want to use this same signon process somewhere
> else, in a non SSL environment. If you go ahead and expect
> encrypted data, you won't have to have two separate check's
> in your preauth, one for encrypted, one for not. An MD5 of
> the password and an agreed upon token would probably be
> adequate. This is purely hypothetical, but something
> similar should work I think (?) :
>
> Remote partner generates:
>
> $password = url_encode ( md5 ( $password . "magicword" ) );
This would not be secure at all for a non-SSL environment and I would prefer
a better method even for an SSL environment (cacheing, etc). If I can see
the md5 of the password and token, I don't need to see any more. This is the
problem that the Challenge Response Crypt extension of Auth was designed to
solve by ensuring a unique token with each login attempt. With a two-server
system, I would want to set up a library of tokens that both servers know
about, sort of like a spy's code book.
I would probably start with a list of at least a few million unique random
tokens. Each user should only be allowed to use each token once, otherwise
we're back to the problem above. The remote server would pull a token from
the list and send the offset to that token along with the encrypted
password. Your server would double check the offset against the user to
ensure that this attempt was unique and then check the login for validity.
However, we also need to prevent the remote server from using up tokens that
are never used - I'm sure that the users will not click to your site every
time they see a link on the remote site. To solve this, the remote server
links to a local (on the remote server) script. This script (acting much
like a click-through counter), finds a token, records it, encrypts the
password and redirects to your site.
E.g.:
$offset = get_unique_offset( $user_id );
$password = tokenize_user_password( $user_id, get_token( $offset )
);
header("Location:
http://your_server/?username=$username&password=$password&offset=$offset");
exit;
Layne Weathers
Ifworld Inc.
_______________________________________________
Phplib-users mailing list
Php...@li...
https://lists.sourceforge.net/lists/listinfo/phplib-users
|
