You are invited to Log in or Register a free Frihost Account!

Secure Login on the first page without https://

A client of mine wants to have the login to their site on the home page of their site. the only way that I know of to securely send data from the client side to the server is under a https:// layer. The problem with this is that having the home page be a https:// layer messes up things with search engines like google and yahoo indexing. I know that there must be somekind of trick out there for sending login information from the client to the server securely without using https:// protocol. I see it done on a lot of bank web sites and things like that. both of my banks and have a secure login on the homepage. can anyone out there enlighten me about this process. I would really appreciate it.
Thank you in advance
Bit complicated, but it is like this:

To start with, you don't want to save the users password in the DB as plain-text, so you encrypt it with a a one-way hashing algorithm like MD5 or SHA256. Using a server-side script (like PHP) you can encrpyt the users password with a constant seed, and store that hashcode in the DB (Now no one who can read your DB can get any passwords). The constant seed must remain constant through out the life of your application.

Note that the password CANNOT be decrypted, because it is a One-Way algorithm, but we won't need to decrypt it, only compare against it!

Now when you first send the client the page with the login form from the server, you should add a constant seed and random seed to the page via PHP output, as they will be required when encrypting the client-side password. Also, store the Random seed for later use, it will be needed.. This is best stored in a Session Variable, as it only lasts the life of the users session.

Then, when the users goes to login, you must encrypt the password on the clients machine (using JavaScript) always with the same a one-way hashing algorithm used for the server-side hashcode. The best way is to encrypt twice; first with the constant seed, and then with the randomly generated seed, both of which were added to the page via PHP Output.

Once that is done, the client can send that hashcode to the server (it is safe now), but the server has to recognize it, so the next step is to verify the hashcode sent from the client.

To do this, we get the original hashcode stored in the DB (if you recall, it was only encrypted once, with the constant seed), and then use the random seed we generated earlier (it should be stored in a session variable) and we use those to encrypt the hashcode (now encrypted with both the constant and random seeds), so that the resulting hashcode is the REAL hashcode, and the hashcode that was sent from the client (over the internet) is the clients attempt at the password. If the two hashcodes match, then the user entered the right password!

I hope that makes sense to you.. any questions, fire away!!
Thanks for the reply. But I'm not really clear on what you mean by 'seed'. you mentioned that I need a constant seed and a random seed. by 'seed' do you mean a hash or encryption? could you clearify that for me. thank you
Well, a seed is just a random string.. like a constant seed in PHP may be something like:


$szConstantSeed = md5( '!x6D*6h3D+$gZo15.Fsa4wq!' );

Which would result in a 32 character hash value.. that could be the seed..

A seed is just a string that you append to the end (or beginning) of the password before you hash the password (to make the resulting hash more secure).
You need to understand One-Way hashes first, you can't "decrypt" a one-way hash, because it is "one-way", but you can still bruteforce it. If you have a list of possible passwords, you could just hash each one and compare it, and eventually you may find the right one. But if the password had a seed attached to it before it was encrypted, then your list of passwords would never match because they are missing the seed, and you would have to know exactly what the seed is to know what the password was.. Which is nearly impossible if you don't give out the seed!

So, back on topic, if you have a constant seed like above, that would usually be stored in a global variable, and never changed during the life of your application. Yes, the seed itself is hashed also, to make the seed harder to guess!

Then you can have a random seed, which is generated automatically on each session, and stored in a session variable. There are many ways to generate a random seed (string), and one method I use is:


    function GetRandomSeed()
        if( !isset($_SESSION['RandSeed']) || !strlen($_SESSION['RandSeed']) )
        {   // Generate Random Seed
            $szLeft = str_pad( sprintf( "%d", rand( 1, 99999 ) ), 5, '0', STR_PAD_LEFT );
            $szRight = str_pad( sprintf( "%d", rand( 1, 99999 ) ), 5, '0', STR_PAD_LEFT );
            $_SESSION['RandSeed'] =  md5( $szLeft.'.'.$szRight );
        return $_SESSION['RandSeed'];

This method will return you the seed if it is already generated (stored in session variable), or it will generate a new one if it is not already generated, and return that!

So, with the constant/random seeds, you can implement the theory I mentioned above.. I myself use the exact same theory in my PHP code for my personal CMS. One day I plan to release it free and open-source, so you can see it all there. However, I may be willing to give you a code snippet (albeit a large snippet) to demonstrate the example, but it won't be functional.

Also, I plan to write a tutorial on this exact subject soon enough, and I am going to post it here..
I'll be looking forward to your tutorial. and I would love a code snippet. although now that you clearified 'seed' form me I understand the concept. wouldn't the uniqid() function be good for generating the random seed? something like this


// random seed
$seed= md5(uniqid());

// append more entropy to make the uniqid() 32 characters
$better_seed = md5(uniqid(rand(), true));

Related topics
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

© 2005-2011 Frihost, forums powered by phpBB.