Hi,
Tuesday, October 21, 2003, 12:52:33 PM, you wrote:
OMH> Hi Tom,
OMH> I've got a question for you regarding this encrypt class of yours.. Just
OMH> wanted to understand how well it would work against a guy with a sniffer
OMH> such as ethereal. (presuming he's on the LAN/wifi to access the app)
OMH> How does the encryption happen?? Client side or server side? How does it get
OMH> transmitted? I'm curious as to how to prevent ppl from sniffing out the
OMH> username/pass combo for these sort of sites that need memberships.
OMH> In some instances.. I can see the user/pass combo being passed in plain text
OMH> eg : user=someuser&pass=somepass&id=232&......
OMH> or in hashed form
OMH> eg :eg :
OMH> user=someuser&pass=*(^&$&[EMAIL
PROTECTED]&(J83&%#396asjjuwo273314koopu83jskl&id=232&.....
OMH> .
OMH> How does the hash happen???
The encryption happens server side and is really only intended to encrypt
variables that are passed to web client such as product id and stuff. The only
way to do secure login and prevent sniffing is to use ssl which will encrypt the
traffic to and from the client. I suppose javascript could be used to fudge
encryption but that would be extremely weak way to do it. To protect hidden
variables you will still need to use some form of server side encryption. If you
have more than one hidden variable a good way is to put them in an array,
serialize it and encrypt the result and put that in a single hidden field. It
would almost be impossible to interfere with those. Something like this:
$e = new encrypt_class();
$hidden = array();
$hidden['username'] = $username;
$hidden['access'] = 'admin';
$sh = $e->encode(serialize($hidden));
echo '<input type="hidden" name="access" value="'.$sh.'">';
Then on the return:
$e = new encrypt_class();
$access=array();
if(isset($_POST['access']))
$access = unserialize($e->decode($_POST['access']));
}
if(isset($access['username'])){
//good chance data is valid
}else{
echo 'Data corrupted';
exit;
}
There is no single fix security as there is always some one smarter :)
--
regards,
Tom
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
