Re: [Phplib-users] Example_Challenge_Auth
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] Example_Challenge_Auth
|
From: Joe S. <jo...@be...> - 2002-04-02 16:16:20
|
Well I'll try to keep the discussion going, even if it's not totally
correct.
On Mon, Apr 01, 2002 at 08:18:35PM +0100, David Eisenhart wrote:
> Can anyone explain how and why the 'Example_Challenge_Auth' function works
> (in local.php)?
>
> I 'think' that I need it but am not sure if and how to implement it as I do
> not really understand it. (My intention is that, in the cases where Java
> Script is enabled, passwords are encrypted by the client)
>
That is what this attempts.
crloginform.ihtml contains two forms - login, logintrue and the
doChallengeResponse() js function.
The logintrue form will be processed if javascript is available and if not
the login form will be used. The value of "response" is checked in
auth_validatelogin(). There are two forms because Netscape 4 in particular will not overwrite a
password field. This field is blanked out so as not to be sent across the
net and is not included in form logintrue.
A response value is created by the doChallengeResponse() javascript
function when submitted.
The response looked for in auth_validatelogin() is:
$expected_response = md5("$username:$pass:$challenge");
The crcloginform.ihtml adds hashed password storage so the passwords are
not stored clear text in the db.
The header of these forms has a good explanation as well as the docs:
http://www.sanisoft.com/phplib/manual/auth_Response.php
hope this helped,
Joe
> Many thanks,
> David Eisenhart
>
>
>
|
