• View our reviews on Hot Scripts
  • JS Tutorial

Recent Comments

Powered by Disqus

Back to articles

Secure login over HTTP

It is important to keep passwords secure by storing hash of password in database or $_SESSION variables, so if anybody would get to those, they still couldn't easily know what your password is.

But it doesn't matter how secure you make it on server side, if everything could be seen on user side. What I mean is, if user is logging in using HTTP protocol, then users password is sent to server almost as plain text. Anyone could retrieve it and none of server security could help it.

So how to prevent it? I'll show you a piece of code, how to implement user side hashing into your authentication system, without modifying your existing user data. 

First you will need to download sha256.js to hash user end data. Then this is how we will do on the server side:
if(!isset($_SESSION["userchallenge"]) || ($_SESSION["userchallenge"]==""))
    //generating random string as challange
    $_SESSION["userchallenge"] = md5(rand());   

//So if username is submitted
if(isset($_POST["username"]) && (trim($_POST["username"])!=""))
    //we check if username exists in database
    $query = "select * from users 
          where username ='".mysql_escape_string($_POST["username"])."'";
    $result = mysql_query($query, $serverlink);
    if(mysql_num_rows($result) > 0 ) 
        //if exists we check if password provided is correct
        $user = mysql_fetch_array($result);
        //we hash password in database, add challange to it, and hash it once again 
        //to make it more secure
        //then we compare it to submitted password hash if they match, user is logged in
        //you can use any hashing order or combination, just use the same one on user side
            hash("sha256",$userrow['password'])) == $_POST["passwordhash"])
            //logged in
            //if no we create other random string for challange
            //and let user try again
            $_SESSION["userchallenge"] = md5(rand());
        //if username is not found in database
        //we create other random string for challange
        //and let user try again
        $_SESSION["userchallenge"] = md5(rand());

And this is user side:

<script type="text/javascript" src="sha256.js" ></script>
<script language="javascript" type="text/javascript">
 function PerformHash(){
    //getting password field
    var plaininput = document.getElementById("password");
    //getting challange field
    var challenge = document.getElementById("challenge");
    //getting password hashfield
    var hashinput = document.getElementById("passwordhash"); 
    //creating password hash and inputting it in password has field
    hashinput.value = 
    //emptying password field cause we don't want to be sent in plain text, 
    //we have a password hash
    plaininput.value = "";
    //same thing for challange
    challenge.value = "";
    return true
<form action='' method="post">
<!-- username input -->
<p>username: <input type="text" name="username" id="username" /></p>
<!-- password input -->
<p>password: <input type="password" name="password" id="password" /></p>
<!-- Here we will store password hash -->
<input type="hidden" name="passwordhash" id="passwordhash" value="" />
<!-- Here we will output server generated challange string -->
<input type="hidden" name="challenge" id="challenge" 
        value="<?php echo $_SESSION["userchallenge"]; ?>" />
<p><input type="submit" value="Login" onclick="return PerformHash()"/></p>

You can come up with other combinations of hashing, just use the same on the server side and user side.

You may also be interested in:

Powered by

blog comments powered by Disqus