[UPHPU] User Login suggestions

Timothy Humphrey email at timothyhumphrey.com
Thu Sep 2 15:04:37 MDT 2004

I'm also very curious on how that client side encryption works... After
getting my Linux machine up and running, the next project will be a SSL
server for the login content, and then I'll split up the site. I'd love to
get my hands on that code.

> From: "David Smith" <DavidSmith at byu.net>
> Date: Thu, 2 Sep 2004 14:54:28 -0600 (MDT)
> To: list at uphpu.org
> Subject: Re: [UPHPU] User Login suggestions
> <quote who="Tierra">
>> On Thu, 2 Sep 2004 14:04:43 -0600 (MDT), David Smith <davidsmith at byu.net>
>> wrote:
>>> <quote who="Tierra">
>>>> I could go on about RSA encryption, SSL, and others as I've coded up
>>>> my own very secure login system.
>>> Do share!
>>> --Dave
>> You asked for it! (well, demanded, but it doesn't matter) =)
>> If you don't have the funds or getting a _signed_ SSL certificate
>> isn't worth the hassle, you can still sign your own certificates and
>> still run the entire user session over encryption, only the user will
>> be asked if your certificate is acceptable everytime they visit the
>> site. If you don't want that message either, then your still not out
>> of luck. You can program some standard Javascript RSA encryption and
>> send to the client to encrypt any data they will be sending back to
>> the server (in my case, I encrypt the password, it's a little more
>> cumbersome to encrypt all the POST data, and the HTTP request can
>> still be seen since your not running through standard SSL anyway).
>> That's done with the help of PHP and a MySQL table that keeps track of
>> all keys sent to clients on their different IP addresses so it can
>> decrypt the data when it's sent back (were still working with multiple
>> connections).
>> Should I go on about how PHP, Javascript, and MySQL handles the
>> encryption?
> A couple years ago, I was looking for an RSA Javascript solution to
> encrypt passwords on the client side without an SSL HTTP session for the
> uug.byu.edu site. I couldn't find a solution, so I just settled for a less
> secure setup with clear password transfer (and a little warning note). Did
> you write your own Javascript RSA implementation, or did you find one? How
> did you distributeyour RSA public key to the Javascript clients? Via HTTP
> or embedded in the script? How did your clients validate the authenticity
> of the key? You've got my curiosity going now.
> --Dave
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: list-unsubscribe at uphpu.org
> For additional commands, e-mail: list-help at uphpu.org

More information about the UPHPU mailing list