Javascript login authentication...

[ibneko]

Authentication:
We'll generate a new challege string. This will be composed of:
- a random lifespan
- a random character
- and probably the mysql key for the row we're temporarily storing our randomness in.
We'll encode this in MD5 and send it to the client as the challenge.
Client encodes (password+challenge) with MD5 and sends this back to us.
We compare MD5(password+challenge) with what client replies with.
If they match, they're authenticated.

--
Did I get that right? I've been reading various articles and also looking at livejournal code. I'm pretty sure it's right, as... even if the MD5 hash gets intercepted by someone in the middle, they can't guess the password, since it'll be quite different each time: changing one letter in the string used to generate MD5 will result in a vastly different MD5 hash, if my memory isn't lying. And our challenge string will be different each time.

Comments

[jaiwithani.livejournal.com]

Everyone knows the best way to handle authentification is store the password as a string in the html and compare it to the user's input in a javascript popup :-P

[ibneko.livejournal.com]

Hehe. That's got so many holes, I just shudder thinking about it.

Oh, better idea, who needs passwords, anyways? We'll just ask for their login, and if their IP address doesn't match up with what they had when they first created their account, we'll just ask them to register.. again. :-P Or send them an e-mail with a "verification link".