Comments on: PHP - Implementing Secure Login with PHP, JavaScript, and Sessions (without SSL)

By: leef

leef — Tue, 12 Jan 2010 09:51:32 +0000

If we're considering that the users traffic is being sniffed, why can't the attacker just capture the incoming salt, or salted hashed password + username and login with their own script?

By: tienod

tienod — Fri, 25 Dec 2009 09:04:23 +0000

Hi!
There is a major security problem in this aproach.
You mention, that you do not need TLS aka SSL for this method. Your JavaScript would prevent MITM-Attacks.
But the truth is, if someone is able to perform a MITM then he can also change the content sent to the browser. There are two methods in my mind for attacking this:
1) Send a different md5 javascript function. This could perform as the original, but also generates a hidden field in the form with the original password and username. So the information is sent in clear text for the attacker and hashed for your script.
2) Change the action="" attribute of your form and disable the javascript (onclick, onsubmit, whatever). So the username and pass the user typed in the form will be sent to my page.
Sorry, but this script will not prevent any type of MITM.

By: shah

shah — Thu, 03 Dec 2009 11:46:06 +0000

Hi Tried using this script for my website. But some how $REQUEST[username] always takes username as tomcat, No matter what I give in username field. Any guess what is going wrong ?

By: Kennie

Kennie — Mon, 28 Sep 2009 18:45:53 +0000

Great script..!!

Is there some way it can be adjusted to function on different homepages placed on the same server without remembering the session. I have placed this script on some different homepages and when I log into homepage1 I can go directly to the secret site on homepage two without signing in even though usernames and passwords are dont match.

By: makemoneyonlinewithaffiliateprogramgirl

makemoneyonlinewithaffiliateprogramgirl — Tue, 01 Sep 2009 08:01:47 +0000

It is a piece of great news to know about GA! It occupies a large proportion of my earning.

By: Алексей

Алексей — Tue, 18 Aug 2009 00:28:19 +0000

На таких громких заголовках и подобной шумихе можно делать и не такие успехи

By: Sylvain Robichaud

Sylvain Robichaud — Mon, 17 Aug 2009 11:47:51 +0000

shitty website

By: Sylvain Robichaud

Sylvain Robichaud — Mon, 17 Aug 2009 11:47:24 +0000

it didnt like the hole paste, so just this

instead of this

By: Sylvain Robichaud

Sylvain Robichaud — Mon, 17 Aug 2009 11:46:00 +0000

For those who still wonder how to make the form working with ENTER and CLICK, just change the <input type="button" as <input type="submit" and remove the onclick from it should look like this at the end Error User Name: Password: <input type="hidden" name="challenge" value=""/>

By: aaa

aaa — Fri, 29 May 2009 15:09:39 +0000

hey i found a bug in your code. i see that it has been a while so i dont know if you have fixed it yet.but :
in firefox, install http live headers and firebug.
firebug will allow you to view the html on the web page. as well as hidden fields.when looking at the hidden fields, you can get the current challenge string and use that for a replay attack.

firebug and live http headers where the tools i used, there could be others. iam thinking of a solution to this. if i find one ill let you know. but if anyone has a solution for this please let me know.

one idea i have is have a separate php class that handles all the challenge strings but i am not too happy on the idea.it just feels like a ducktape and bubble gum solution.