Here's the sample script that will let the user login then have Javascript
encrypt the password and carry it over to PHP and have PHP encrypt the
password and match the Javascript encrypted password. This script is pretty
effective without the SSL.
I got the script working so, I'm posting a script that work for me. If you
wanna try it out or use it then you'll need to get the MD5.js that come with
the libPHP. Just download the libPHP and pull out only one file, MD5.js and
then junk the libPHP.
I found one thing interesting about this code is that whether the login is
successfull or failed. The password will not be shown, neither is the
encrypted password. That is a good thing.
I had to create a Session ID also.
You'll have to forgive me for include some script for PHP 4.0.6 and PHP
4.2.3 since I'm stuck with one of the employee who doesn't have time to
upgrade one of the website.
--clip--
<?
//PHP 4.0.x Only ==============================
if ($auth == "true") {
//Initialize the Session Cookie......
@session_start();
@session_register("admin_detail");
//=============================================
//PHP 4.2.x Only ==============================
//if ($_REQUEST['auth'] == "true") {
// //Initialize the Session Cookie......
// @session_start();
//=============================================
$SID = session_name()."=".session_id();
//PHP 4.0.x Only ==============================
//Validating the User's Login Attempt.....
if (($user == "administrator")&&($HiddenField ==
md5(md5("passwordExample123").$admin_detail['random_number']))) {
//=============================================
//PHP 4.2.x Only =============================
////Validating the User's Login Attempt.....
//if (($_REQUEST['user'] == "administrator")&&($_REQUEST['HiddenField']
== md5(md5("passwordExample123").$_SESSION['random_number']))) {
//=============================================
header("Location:
http://www.whatever.com/admin/main_index.php?$SID";);
} else {
$login_action = "Failed!!";
}
} else {
//Creation of the Session ID.....
$salt = strtoupper(md5(uniqid(rand())));
session_id($salt);
session_start();
//PHP 4.0.x Only ==============================
session_register('admin_detail');
$admin_detail['random_number'] = rand();
//=============================================
//PHP 4.2.x Only ===========================
//$_SESSION['random_number'] = rand();
//=============================================
}
?>
<script language="javascript1.2" src="scripts/md5.js"
type="text/javascript"></script>
<script language="javascript1.2" type="text/javascript">
function encryptPass(formObj) {
formObj.HiddenField.value =
MD5(MD5(formObj.pass.value)+formObj.RandomString.value);
formObj.pass.value="";
return true;
}
</script>
<? echo "<form name='LoginForm' method='post'
action='dp_admin_auth.php?".SID."&auth=true'
onSubmit='encryptPass(document.LoginForm)'>"; ?>
<table border="0" cellpadding="0" cellspacing="0" align="center"
width="600">
<tr>
<td class="normal">
Use the Login to access the Administration Site.
</td>
<td>
<table border='1' align='right'>
<tr>
<td>
<table width='175' cellpadding='0' cellspacing='0' border='0'>
<tr>
<td align='center'><br>
Username:
<input type='text' name='user' size='10' maxlength='14'>
<br><br>
Password:
<input type='password' name='pass' size='10' maxlength='14'>
<br><br>
</td>
</tr>
<tr>
<td align='center'>
<input type='submit' value=' Login '>
<input type='reset' value=' Clear '><br><br>
<?
//PHP 4.0.x Only ==============================
echo "<input type='hidden' name='RandomString'
value='".$admin_detail['random_number']."'>";
//=============================================
//PHP 4.2.3 Only ============================
//echo "<input type='hidden' name='RandomString'
value='".$_SESSION['random_number']."'>";
//=============================================
echo "<input type='hidden' name='HiddenField' value='Null'>";
?>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td class="dp_support1">
<?
if($login_action == "Failed!!") {
echo " <span
style='color:#FF0000;'>The Login Attempt had Failed!!</span>";
}
?>
</td>
</tr>
</table>
</form>
--clip--
Enjoy!
FletchSOD
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
