Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

password hashing for login solution with PHP and javaScript

Tags:

javascript

authentication

php

I know that, for security reasons, it is necessary to hash (with salt) the user's password and comparing it to a stored hashed password, so if anybody else gets the hashed string, he will have no way to compute back the password or look it up in a rainbow table.

There is one part of the method that I don't understand. Let's say I have this standard login form

<form method='post' action='login.php'>
    <input type='text' name='user' />
    <input type='password' name='password' />
    <input type='submit' name='submit' value='login' />
</form>

and then I use PHP for login

<?php
    if(isset($_POST['submit'])){
        $username = $_POST['username'];
        $password = sha1($_POST['password']);
        $authorize = $login_object->login($username, $password);
    }
?>

and, behind the scenes, the $login_object takes care of authenticating with the database and returning true/false. (I made this object up, I have real, useful objects to do this)

but that means the password in the POST request traveled raw, un-hashed and unsafely! Anybody could have intercepted the real password!

So what I am thinking is that I should use javascript to hash the password before it's sent. I would have a hidden field <input type='hidden' name='real_password' value='' /> and have javaScript copy the value of the input named password, hash it, put it in real_password hidden input and blank the password field. This way, the POST request would have the hashed password and not the raw, unsafe, original password.

Am I right with what I'm saying, or should I just do the hashing on php?

like image 668
Daniel Avatar asked Dec 15 '22 17:12

Daniel

1 Answers

Hashing secures the data on the server side. To secure the data-flow to the server, use HTTPS. In that regard it makes no difference whether the password or its hash is stolen (and later duplicated) on the wire. HTTPS also grants certificates to ensure that a padlock is displayed in the user's browser (remember never to enter important password in pages without proper certification).

like image 94
Levente Pánczél Avatar answered Dec 18 '22 10:12

Levente Pánczél
Sign in to Comment

Related questions

Which HTTP response codes are errors?
PGSQL driver not found in Laravel PHP Framework
Updating MySQL database when user closes browser
Change url slug to camel case
PHP optimization - include() or not
Why does fpdi crop the pdf page?
PHP CSV to Associative Array
Has anyone seen php encryption like this? [closed]
PHP implode array with prefix and commar seperated
How to password protect pdf in PHP [duplicate]
Bad message number error
Why jQuery.parseJSON does not accept newlines?
Vagrant/Puppet --- ensure: change from present failed: Could not set 'present on ensure: No such file or dir
How to fix php Warning: file_get_contents?failed to open stream: HTTP request failed
Creating HTML E-mails in Zend Framework 2 with Zend_Mail + Zend_Mime
Load CodeIgniter models in Controller constructor
Return a loop in function php
Display encoded HTML in Kendo UI
Symfony2 form validation groups based on submitted data
Ajax call to PHP is returning nothing

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!