From: "mario kulka" <[EMAIL PROTECTED]>
> Still a little bit confused;
> So what if someone just creates an HTML with a hidden field containing
> any "login:time" plus another hidden with MD5 hash made out of his own
> IP+login+time and submits it? According to your explanation I
> understood that if my script verified that the hash generated by the
> script based on values he submitted and his IP, matches his(in this
> case it would) I should let him in.
There was one tiny thing missing in the explanation.
You should generate the MD5 out of
IP+login+time+SECRET_STRING
So if they do not know the SECRET_STRING, they can hash all they want
:-)
> Or do I in the meantime store the
> hash in his profile in the MySQL db and match that against his? The
> only reason I would think it would be hard to do is for someone to
> guess that the hash was made of his IP and not something else. In that
> case wouldn't be better to make the hash out of: $login.$password and
> then pass as hidden only login; then someone to create the right MD5
> must know the password (which I can pull of the db when trying to
> validate the original hash).
That's exactly the problem. If you include the password in the hash
you have to fetch it from the DB each time, just to check whether you
have already validated the user.
Jenda
===== [EMAIL PROTECTED] === http://Jenda.Krynicky.cz =====
When it comes to wine, women and song, wizards are allowed
to get drunk and croon as much as they like.
-- Terry Pratchett in Sourcery
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
