Join Up! 104886 members and counting!

Login To PHPBuilder User Name: Password: Register A New Site Account * NOTE: This is for logging into the main site only! To login to the forums, click here

Linux Today Enterprise Linux Today Apache Today JustLinux.com Linux Planet PHPBuilder All Linux Devices Hiermenus DatabaseJournal Technology Jobs Covalent Extends Apache 2.0 to Microsoft ASP.NET ShopWorX - Support for Windows PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 Network Risk Assessment Full-Featured, Java-Based Apache GUI In Case You Missed It...The Week of May 30, 2005 Introduction to PHP and Ajax PHP and Shell Scripting: Using Pipes The ABC's of PHP Part 3 - Basic Script Building in PHP In Case You Missed It...The Week of January 9, 2006

php3-list | 199908

From: Jacob Stetser (jstetser <email protected>)
Date: 08/03/99

• Next message: Teodor Cimpoesu: "Re: [PHP3] How to convert this js to php?"
• Previous message: Rasmus Lerdorf: "Re: [PHP3] stdin + mail + problem even if I've read the whole archives"
• In reply to: Steve Lianoglou: "Re: [PHP3] 2 way encrypt/decrypt function in PHP3?"
• Next in thread: Manuel Lemos: "Re: [PHP3] 2 way encrypt/decrypt function in PHP3?"
• Reply: Manuel Lemos: "Re: [PHP3] 2 way encrypt/decrypt function in PHP3?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

What I did was take that a step further... When PHP generates a page
with this setup on it, it puts the challenge into a database... Then
when the challenge is returned to the server with the response, I
check to make sure the challenge used is in the database. If it
isn't, operation is denied. If it is, operation continues and the
challenge is deleted from the database. It's somewhat like a
one-time-challenge-response mechanism, all transparent to the user.

The standard setup suffers from sniffable C-R pairs, which is why I
went that extra step.

Jake Stetser

> I used your algorithm/method to do form login ... and while a "sniffer" (I
>don't exactly know what that is) can't see what the password actually was
>(because the password field is nulled before the encryption) ... why
>wouldn't he
>be able to "sniff" the encrypted password and just pass that in the
>field which
>it's expected to be in and then breaking the security that way?? ...
>or is that
>not possible?
>
>-steve
>
Jacob Stetser

--
icongarden: Making good ideas grow.
http://icongarden.com/
Get our PGP public key by emailing pgp <email protected>
-- 
PHP 3 Mailing List <http://www.php.net/>
To unsubscribe, send an empty message to php3-unsubscribe <email protected>
To subscribe to the digest, e-mail: php3-digest-subscribe <email protected>
To search the mailing list archive, go to: http://www.php.net/mailsearch.php3
To contact the list administrators, e-mail: php-list-admin <email protected>

• Next message: Teodor Cimpoesu: "Re: [PHP3] How to convert this js to php?"
• Previous message: Rasmus Lerdorf: "Re: [PHP3] stdin + mail + problem even if I've read the whole archives"
• In reply to: Steve Lianoglou: "Re: [PHP3] 2 way encrypt/decrypt function in PHP3?"
• Next in thread: Manuel Lemos: "Re: [PHP3] 2 way encrypt/decrypt function in PHP3?"
• Reply: Manuel Lemos: "Re: [PHP3] 2 way encrypt/decrypt function in PHP3?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Columns / Articles | Tips / Quickies | News | News Linking and RSS Feeds | Shared Code Library Mail Archives | Support / Discussion Forums | Get Started! Links | Contribute! | Docs