Hi All, A few months ago it came to my mind, that it might be possible to make non-https session (reasonably) secure by at least not letting people login that shouldn't because they might have sniffed the password from a user. Please let me know if you can find a loop hole in this process. I think it would be interesting for anybody on this list (or anybody really) who has a bit of knowlege and appreciation about security:
Assumptions: The session variables are stored on the web server and not transferred to the client at all. The client has Javascript enabled. We have a secure hash function, say sha1. We can generate truly random numbers/strings with PHP which cannot be guessed call it salt. A session cannot be stolen. ... add more if needed. :-) So, we could on the server generate a random salt value and send that to the client along with the login form. On the client, when the user submits the form, we take the entered password value (with Javascript), hash it with our sha1 function, concatenate it with the salt and compute the hash value of the password together with the salt (again). All this in Javascript or whatever runs on the client. We then send this hash value, call it h(h(p) + s) (hash(hash(password) + salt)), to the server. Its useless for the sniffer, because the same value will never be sent twice, unless of course the user (password) and the salt are the same (or there is a collision, but we assumed its a secure hash function). We could make sure that a user doesn't get sent the same salt twice by storing them in the database when used and checking against them when it is generated. On the server we could do the same process with the stored hash of the password (assuming the hash of the password is stored), otherwise it becomes necessary to also send the actual salt of the password along with the login form and this would become even a little more complex. So, if h(p) is stored, we would simply compute h(h(p) + s) where s is the salt that was sent and stored in a session variable. Assuming we don't use a salt to store the password hash, this seems quite secure to me, don't you think? I mean, of course someone can still steel the session but it becomes a lot harder to figure out the password by sniffing. What do you think? If everybody agrees this is worth implementing, i might give it a go and make a library. Sorry this is not directly PHP related, but since i like this list, i thought i would share it with you. Regards, Tim Tim-Hinnerk Heuer http://www.ihostnz.com Joan Rivers - "Never floss with a stranger."
