Quote:
Originally posted by Hue G. Pness
Well I think most users would prefer a script as secure as possible for passwords etc. So md5-hash while not bullet proof certainly cant hurt and I would think is much better than just launching the password in plain text.
|
Fairly close to bulletproof, actually.
What happens is the following (severely simplified):
A person wants to login
The server registers a session, containing the session id, the ip address of the user, the random variable which is used in the hash and the md5 hash of the password/variable (and other stuff like time of death etc)
The user gets the random variable, which is used with the password for the generation of the md5 hash... uses JS, so the server doesn't have to do anything
The md5 hash is verified against the md5 hash, user gets the md5 hash and the session id in a cookie
Not bulletproof, and not as good as using ssl, but a hacker needs the session id, the md5 hash and the user's ip to get in. Also, the whole thing dies as soon as the user logs out or the session expires. So, he needs to do a bunch of stuff and is in a big hurry... and there is nothing he can do against the login stuff dying quickly
