Yii Framework Forum: Provide alternate user authentication mechanism - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Provide alternate user authentication mechanism Provide a CRAM-MD5 or equivalent mechanism Rate Topic: -----

#1 User is offline   sivann 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 3
  • Joined: 28-February 11

Posted 07 March 2011 - 07:13 AM

Hi. I'm new to Yii,
The hashing of the password presented in the tutorials only helps against server compromise (DB theft), not against network sniffing. Https is not an always an available option, especially for virtual hosts.

As far as I understand there is no way to prevent a "playback attack" on the user authentication, with the default mechanisms. It would be helpful to enrich the framework with a challenge-response algorithm implementation. It could be as simple as including a client-based MD5 javascript implementation, and a server-based challenge-key generator, or use something better than MD5.

Passwords would then have to be stored plaintext on the server, but:
-if yii is secure enough to prevent against sql injection and other vulnerabilities this wouldn't be an issue
-simple network sniffing would be ineffective

-Spiros
0

#2 User is offline   RedRabbit 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 183
  • Joined: 24-September 10

Posted 08 March 2011 - 03:38 AM

While such a feature might be nice, I don't see that it would be necessary for the core. I think think it should be relatively easy to implement an extension for this.

Otherwise, one thing I have wondered about (but haven't researched) is whether it wouldn't be possible to do a secure Javascript login by having the client use public key encryption in javascript before sending the encrypted password to the server - basically, is it possible to do public key encryption using Javascript?
Rupert
0

#3 User is offline   sivann 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 3
  • Joined: 28-February 11

Posted 08 March 2011 - 12:27 PM

There is jcryption.org. But it doesn't replace https since javascript cannot access the browser's stored certificates for once. Moreover ajax requests can only be performed on the same origin as the http(s) request so you can't either query a "local" certificate server. In short you won't have server authentication.

View PostRedRabbit, on 08 March 2011 - 03:38 AM, said:

wouldn't be possible to do a secure Javascript login by having the client use public key encryption in javascript before sending the encrypted password to the server - basically, is it possible to do public key encryption using Javascript?

0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users