[PHPLIB] Challenge/Response Mechanism that works with all browsers. From: andre anneck (andre <email protected>)
Date: 12/09/99

Hi there,

I recently tried to use PHPLIB Challenge:Response way of
authentification.
It was easy to build, but once I tried testing it with my Linux Netscape
I found out that the
password was still send over the line :-(.

It seems that netscape doesnt let you override the value of a password
type input field :-(.

Thus I changed the JS on the crcloginform.ihtml... The snippet below
works with all browsers.
( I was able to test it with IE5, NS(MS), NS(Linux) )

------------- IN THE HTML HEADER ---------------------
<script language="javascript">

<!--
  function doChallengeResponse() {
    str = document.login.username.value + ":" +
          MD5(document.login.password.value) + ":" +
          document.login.challenge.value;
              document.logintrue.username.value =
document.login.username.value;
              document.logintrue.response.value = MD5(str);
          document.logintrue.submit();
  }
// -->
</script>

------------ At the very bottom of the page before closing BODY
---------------------

<form name="logintrue" action="<?php print $this->url() ?>" method=post>
<input type="hidden" name="username" value="">
<input type="hidden" name="challenge" value="<?php print $challenge ?>">
<input type="hidden" name="response" value="">
</form>

---------------- Changed the submit button to be a link
-------------------------
<A HREF="javascript:doChallengeResponse();">login</A>

I expirienced problems with some browsers if I still had a real
form-submit button, thus
I changed it to be a link that calls "javascript:".

I submited the changes into the cvs tree, please someone QA my changes
;-)

Cheers,
Andre
-
PHP3 Base Library Mailing List. Send messages to <phplib <email protected>>.
To unsubscribe, send "unsubscribe" to <phplib-request <email protected>> in
the body, not the subject, of your message.