[phplib] Auth - password changes From: Karl Zimmermann (kzi <email protected>)
Date: 05/15/00

With PHP4 now having session management functions, I think that the most
commonly used feature of PHPLib will probably be the auth functionality, which
helps avoiding sending passwords in plain text. Unfortunately, auth doesn't provide
that feature when the client sends a new password in cases of self registering or
password change.

Encoding such a password with md5 before sending it is no solution, as it gives an
unwanted observer the result string stored in the password table.

The problem of self registering could partly be solved when the first password is
randomly generated at the server side and send to the client via another channel, say
for example email. That is not perfect, but it adds to the burden of an unwanted
observer.

To solve the problem of password change, one needs encrypt/decrypt functionality,
not provided by the md5 algorithm.

For example, the encryption of the new password on the client side could be made
by using the response string of crcloginform, generated with the old password, as
secret key, which is then decrypted with the same key on the server side. I am aware
that Php, through the mcrypt library, offers encrypt/decrypt functionality, but I don't
know if Javascript offers compatible encryption algorithms.

Any comments or ideas?

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>