Robust, secure blog login

2004-07-15 00:03 - Programming

A small warning, this article is for tech-heads. If you're not one your head might hurt after reading this. Just read this unrelated note: I thoroughly enjoy the television show Iron Chef, it's a game show like many others except the competition is in cooking. I've watched many many episodes, but today I just saw my first episode that ended in a tie. Apparently, in that case, they battle it out in a lightning round, only 30 minutes. Quite impressive

As to the tech stuff, my brain is gladly cooling off right now after a hearty coding session. I've implemented a special login/encryption scheme as well as a custom session driver.

First, the login is driven by md5 hashing, using javascript on the client side. Those routines I got online and they were by the way released under the BSD license. The algorithm is based on the APOP command from the POP3 RFC. Empty unauthorized sessions are created and flagged with the visitor's IP address. They contain a hash to identify the session with, and a salt. When the user logs in, the password is md5'ed, the salt is prepended, and that is then md5'ed again. On the server side, the salt is loaded from the session, prepended to the md5'ed password stored in the database, and md5'ed.

Assuming they match, the session is then authorized. Any request with the given hash in the cookie, from the original IP address is assumed to be that user. The session lasts one month, and is refreshed with every page view. This was done for convenience. I think the balance of the md5 encryption (given a lack of SSL) plus the IP address tracking should prove secure enough, while the one month timeout will mean I never have to enter a password. Further convenience comes from the two-active-session maximum. Two hash/IP combination sessions are allowed per user, so I can stay logged in at work and at home. Whoopee!

Next up: fixing the article post to work with the new login system, and then more exciting changes!


No comments!

Post a comment:

  If you do not have an account to log in to yet, register your own account. You will not enter any personal info and need not supply an email address.

You may use Markdown syntax in the comment, but no HTML. Hints:

If you are attempting to contact me, ask me a question, etc, please send me a message through the contact form rather than posting a comment here. Thank you. (If you post a comment anyway when it should be a message to me, I'll probably just delete your comment. I don't like clutter.)