nloding Posted August 21, 2008 Share Posted August 21, 2008 How do you accomplish a secure login in a time seed? Here's the example that I want to get working: User plugs in a username and password. The password is MD5 hashed. The hash is then passed into another function that adds a random number to it, based on the time the login page was generated. The password hash plug the random number is then hashed out again and posted to the site. How do you get that to work? That random number is random and dynamic, likely changing on each page view/post. What would the back-end do to verify how the correct password was entered? I"m seeing more and more login's like this. For example, the SonicWALL management system "GMS": https://gms.demo.sonicwall.com/ The random number in the Javascript functions changes on each page refresh. How do they get this working??????? Quote Link to comment https://forums.phpfreaks.com/topic/120644-secure-login-in-time-seed/ Share on other sites More sharing options...
unkwntech Posted August 21, 2008 Share Posted August 21, 2008 You either don't use a random number or you store it with the user. Quote Link to comment https://forums.phpfreaks.com/topic/120644-secure-login-in-time-seed/#findComment-621653 Share on other sites More sharing options...
.josh Posted August 21, 2008 Share Posted August 21, 2008 That really long changing number looks more like a token, than part of the password. Quote Link to comment https://forums.phpfreaks.com/topic/120644-secure-login-in-time-seed/#findComment-621772 Share on other sites More sharing options...
nloding Posted August 21, 2008 Author Share Posted August 21, 2008 It gets hashed in with the password though, so how does the backend process that? It's obviously possible to do. What would the token indicate? Quote Link to comment https://forums.phpfreaks.com/topic/120644-secure-login-in-time-seed/#findComment-622592 Share on other sites More sharing options...
akitchin Posted August 21, 2008 Share Posted August 21, 2008 the token could be the session ID, using session_regenerate() (or something like that) on every single page. the session ID is accessible on each page. Quote Link to comment https://forums.phpfreaks.com/topic/120644-secure-login-in-time-seed/#findComment-622596 Share on other sites More sharing options...
nloding Posted August 22, 2008 Author Share Posted August 22, 2008 Using the session ID is an idea, but if it's passed in the Javascript like that, doesn't allow for even easier hijacking? In the GMS example in the first post, the code takes the current timestamp (with milliseconds) then generates a random number off it. It then cycles the number though a "getNextFloat" or something like that method (it's Java), and depending on what interval the float falls between, it appends a 0-9 integer to a string. In the end, you get that completely random number that you see passed to the Javascript. It's obviously used to validate the password, if you look at the form fields that are posted. The password textbox is replaced with "Nice Try" and the hash is placed into another hidden field. So a random number is hashed. It's obviously a security feature, because I've tried posting my own valid username and password to it with a random number and it fails. So it's validating that random number somehow. HOW??!! I'm lost ... my brain is too feeble ... gah! Quote Link to comment https://forums.phpfreaks.com/topic/120644-secure-login-in-time-seed/#findComment-622674 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.