[prog] web authentication

Michelle Murrain michelle at murrain.net
Thu Nov 10 09:21:12 EST 2005


On Nov 9, 2005, at 11:09 AM, Caroline Johnston wrote:
> I want a reasonably secure login system for a web-app and I'm not  
> quite
> sure how to set it up. I had a bit of a google and I reckon I can  
> send a
> random number to the browser and MD5 the number with the password
> client-side, then send this back and on the server side check  
> whether the
> password I've got stored gives the same MD5 when combined with the  
> random
> number. Except that this prevents me from one-way encrypting the  
> password
> in the DB on the server. Any suggestions on how I make the server-side
> more secure? I'm writing in perl (catalyst) with a MySQL DB on a  
> linux box
> (FC3) running apache.

I think the best method is not to set the password client side, but  
set a cookie with a session 'brand' (an MD5 hash), and check against  
that. Send the password for authentication via https, so it's  
encrypted on the way there.

You can deal with the password entirely server side, using that  
method, although encrypting it in the database seems overkill to me,  
if you've got your database system locked down well. We use plaintext  
passwords stored on the server.

Michelle

Michelle Murrain
Seminarian, Pacific School of Religion
michelle at murrain.net
Blog: http://www.pearlbear.us

AIM:pearlbear0
googletalk:michelle.murrain at gmail.com

"To reach satisfaction in all desire satisfaction in nothing." -- St.  
John of the Cross
"Rely on nothing until you want nothing" -- Dhammapada




More information about the Programming mailing list