User password protection new trick

zhaozj2021-02-08  612

Translation: 晨 辉

24/04/2000

There are often readers to ask, how to use JavaScript on its site to ensure that the password when the user logs in will not leak. For such a problem, my first reaction is to tell them to use SSL (Secure Socket Society Amission). For example, SSL is the best solution for Web applications with higher security requirements. However, there is also a considerable part of the developer, and their web application is not high, so they do not want visitors to log in with SSL.

Web applications generally use a technique called Session State Management to track and manage mutual activity between browsers and servers. Because each browser browsing requires independently relative to other browsers (as defined in Hypertext Transfer Protocol), web applications must use certain techniques, such as cookie, hidden table fields, or rewrite URLs, They recognize the server with a separate session with a browser. Most server-side programming environments (such as ASP, PHP, ColdFusion, etc.) use cookies.

The problem with session status management is fundamentally unsafe. These cookies, form values, or URLs that are used to manage session states, or the hackers can intercept them on the way. Once the interception is successful, hackers can use this information to force the user session.

In most server-side scripts, you can take some measures to reduce this type of leakage. For example, you can set a short period of use for cookies to apply "difficult expectations" information. However, the safest solution is still using SSL. Using SSL, regardless of user password, or session status information is protected.

If you don't use SSL, you can ask users to re-authenticate each sensitive page in your application. However, from the user's perspective, this way will not be too troublesome. In short, you must know how high your users are willing to bear how high the risks are willing to bear. If the risk of password leaks is too high, you need to use SSL to build applications. If you can't use SSL, you can use the MD5-based login mode. It can at least protect your user's password from leakage. In addition, a server-side script preparation technique that prevents session status information is stolen.

Typically, if a user does not use SSL login (ie, the original http), then from the time of leaving the browser until the target network server, the user password is in a non-protected exposure, as shown in the chart in the following page. .

However, we can use an irreversible function to develop a login scheme, which will not expose the user's password using this solution. The function is a correspondence between the elements of the collections, and in the function from the set A to the set B, each element is in B has a unique element corresponding to it. The irreversible function is difficult to reverse in the calculation - that is, one element in a given collection B, it is difficult to determine which element in the collection A corresponds to it.

This is the better than a shredder. It is easy to put files in a shredder. But in turn, if you want to refract strain after the destruction, it can be difficult.

Using MD5 solution

One of the most popular non-reversible functions applications today is the MD5 algorithm developed by Ronald Rivest. Ronald Rivest is also one of the developers of the famous RSA (Rivest, Shamir, ADELMAN) encryption algorithm. The MD5 algorithm can generate a 16-byte size "digital fingerprint" for any length of information. This information can be a string, a file, a text stream, or any other form of byte sequence. A detailed description of the MD5 algorithm in RFC 1321.

We want to develop a login method using the MD5 algorithm to protect user passwords from a browser to the web server.

When a user files a login request for a web application, its web server will give the user a login form. This is a table with a random generated value. The random generating value is randomly selected from a billion-reserved value space from a billion to the value.

The user enters his or her username and password in the login form, and the user-end script adds a random value to the password, and then calculates the results with the MD5 irreversible algorithm. Replace the original password with the calculated value. I refer to this value as MD5 password.

Finally, the user end script sends the username and the MD5 password to the web server. Because anyone is transmitted between the browser and the server, anyone cannot obtain the original password entered by the user.

After receiving the username and MD5 password, the web server will perform the same operation as the user browser. It gives the user password (extracted from the protected area of ​​the server) (ie the random value sent to the user) and the correct MD5 password value is calculated. The web application is then compared to the value of this value and it collected from the browser. If the two values ​​are equal, the web application generates a server-side session variable to prove that this user is correct.

Speaking here, you may quit the necessity of using a random value. In fact, this random value is used to prevent re-attack. If only the original user password passes MD5, then the corresponding MD5 password will always be the same value. Hackers can also log in to network applications as long as they intercept MD5 passwords. After using the random value, the MD5 password generated each time you log in is unique, so that the appearance of the above problems is avoided.

JavaScript implementation

The login scheme that implements the MD5 encrypted in JavaScript is relatively easy. Paul Johnston's site provides you with rich information realized by the MD5 algorithm. Other information about MD5 can be found in this site. Please copy the code to a text file and name MD5-JS.txt.

We will complete the server-side script in the ASP environment (because the ASP supports JScript-Microsoft version of JavaScript). You can write a language using any server-side script, but you must translate the MD5 algorithm into the language you choose.

The following is a login table login.asp implemented in an ASP environment. You can use online analog login analog user name Jason, the user password is F2 # 5% RSQ.

<% @ Language = "JScript"%>

please log in! </ Title></p> <p><% Session ("SharedValue" = Math.random (). Tostring ()%></p> <p><Script language = "javascript" src = "md5.js"> </ script></p> <p><Script language = "javascript"></p> <p>VAR SharedValue = "<% = session (" SharedValue ")%>"</p> <p>Function Handlelogin () {Sendmd5Value (Calculatemd5Value ())</p> <p>}</p> <p>Function Calculatemd5Value () {</p> <p>VAR PW = Document.Forms ["login"]. Elements ["password"]. Value</p> <p>PW = SharedValue</p> <p>Return Calcmd5 (PW)</p> <p>}</p> <p>Function sendmd5value (hash) {</p> <p>Document.Forms ["login"]. Elements ["password"]. value = hash</p> <p>Document.Forms ["login"]. Submit ()</p> <p>}</p> <p></ Script></p> <p></ HEAD></p> <p><Body></p> <p><Form name = "login" method = "post" Action = "checkpassword.asp"></p> <p>User ID: <input type = "text" name = "userid" size = "40"> <br></p> <p>Password: <input type = "password" name = "password" size = "40"> <br></p> <p><Input Type = "Button" name = "startlogin" value = "Login" OnClick = "Handlelogin ()"></p> <p></ Form></p> <p></ Body></p> <p></ Html></p> <p>Only three lines in the above include ASP scripts. (The content between <% and%> is an ASP script.) The first line of the file determines the ASP language as JScript.</p> <p><% @ Language = "JScript"%></p> <p>In the second line ASP, the value of the server-side session variable called "SharedValue" is set to the string representation of the random floating point number "string". This session variable exists in the server in the entire process of the user session.</p> <p><% Session ("SharedValue" = Math.random (). Tostring ()%></p> <p>The following line will set the user-end JavaScript variable called "SharedValue" to the value of the server-side variable of the same name.</p> <p>VAR SharedValue = "<% = session (" SharedValue ")%>"</p> <p>Users enter his username and password in the table and click the "Login" button so that the Handlelogin () function will be activated. The handlelogin () function starts the calculatemd5value () function to attach a random value for the user password and calculate the corresponding MD5 value. Next, the Sendmd5Value () function collects this value and replaces the user password filled in the original table, and finally submits the form.</p> <p>There is a little here to note that the Script tag indicator script contains the MD5.js file in a single line. The above is the implementation of MD5, you can (and should) copy this algorithm from the PAUL JOHNSTON site. The Calcmd5 () function used by the Calculatemd5Value () function is defined in MD5.js.</p> <p>On the server, we use a ASP script called Checkpassword.asp to confirm the username and MD5 value. This script content is as follows: <% @ language = "jscript"%></p> <p><! - # include file = "md5.inc" -></p> <p><%</p> <p>Function Calculatemd5Value () {</p> <p>VAR PW = "" Application (Request.Form ("UserID"))</p> <p>PW = session ("SharedValue")</p> <p>Return Calcmd5 (" PW)</p> <p>}</p> <p>ClientPassword = Request.form ("Password")</p> <p>Serverpassword = CalculateMD5Value ()</p> <p>IF (ClientPassword == ServerPassword) response.redirect ("page1.htm")</p> <p>Else Response.Redirect ("tryagain.htm")</p> <p>%></p> <p>The following line represents the file md5.inc in the checkpassword.asp script:</p> <p><! - # include file = "md5.inc" -></p> <p>This file is the file MD5.js between the <% and%> tags of the ASP. Standard ASP languages ​​Both INC. Suffix.</p> <p>Another server-side script describes the CalculateMD5Value () function. Field Request.form ("UserID") returns the user name entered when the user is submitted. The real user password value is found in an application variable by the returned user name. (If you plan to use ASP, you may want to use another way, allowing scripts to get passwords in other ways.) Use PW variables to store user passwords. Retrieve the original random value sent to the user from the session variable and attach it to the user password. The function then calculates the user password attached to the random value and returns the resulting result.</p> <p>Function Calculatemd5Value () {</p> <p>VAR PW = "" Application (Request.Form ("UserID"))</p> <p>PW = session ("SharedValue")</p> <p>Return Calcmd5 (" PW)</p> <p>}</p> <p>User authentication The core part of this process is performed by four lines of code, which uses the CalculateMD5Value () function. The MD5 password submitted by the user is programmed to the "client passpassword" variable, and the value calculated by the server is classified as "ServerPassword" variable. Compare these two values. If the two values ​​are consistent, the user browser opens Page1.htm, which is the home page of the writable web application. If the two values ​​do not match, the user browser opens tryagain.htm, and the user is informized that the login fails, and you need to log in.</p> <p>ClientPassword = Request.form ("Password")</p> <p>Serverpassword = CalculateMD5Value ()</p> <p>IF (ClientPassword == ServerPassword) response.redirect ("page1.htm")</p> <p>Else Response.Redirect ("tryagain.htm") To make this script, just define the page1.html as the home page for Write protection web applications. If you don't use the ASP, then you have to translate the ASP code into the language used in your server-side script.</p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-459.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="459" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.039</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = '35YrD7E0YVriLYmvIC_2BU2hsIQBQrHwnyo19lQ9Nu1mHaTBNv5b6dek_2Bu2ZUyWPNPD2uLjtbKo9qs5gLJmYf5_2Fw_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>