Password Encryptor/Decryptor for ASP 3.0?
in [ASP]
|
From: Gottfried Mayer on 19 Oct 2005 07:15 Roland Hall wrote: > "M P" wrote in message news:%23AcaaUE1FHA.904(a)tk2msftngp13.phx.gbl... > : Thanks for the reply. My question is how do I handle this MD5 algorithm? > For > : example, I have a login page, how do I use the javascript? > > Please respond after responses, not before them. > > You don't use javascript to do this. You do it on the server-side. If you > need a MD5 function already written to work in ASP, then go here: > http://www.frez.co.uk/freecode.htm#md5 > > The function is md5. I call it with: > eStr = md5(str) > > I put it in it's own file and I include it into any page I need. A starter > example... > > <%@ Langauge = "VBScript" %> > <% > Option Explicit > Response.Buffer = True > %> > <!--#include virtual="/asp/nocache.asp"--> > <!--#include virtual="/asp/md5.asp"--> > <% > dim username, password, ePassword, method > method = Request.ServerVariables("REQUEST_METHOD") > if method = "POST" then ' form has been posted > username = Server.HTMLEncode(Replace(Request.Form("username"),"'","''")) > password = Server.HTMLEncode(Replace(Request.Form("password"),"'","''")) > ' form validation > ' get password from database if username exists > ePassword = md5(password) > if ePassword = cPassword then > ' write to log > ' validate logon > session("user") = username > ' redirect to welcome > else > ' report error to user > ' write to log > ' redirect to logon > end if > end if > %> > <!-- display logon form --> > > My nocache.asp page: > > <% > with Response > .Expires = -1 > .ExpiresAbsolute = Now() - 1 > .AddHeader "pragma", "no-cache" > .AddHeader "cache-control", "private" > .CacheControl = "no-cache" > end with > %> > > HTH... > Although it seems easier to put this all in one place, you might want to consider this: If you do the encryption all server-side, every client will send his/her password as plain-text over the internet. In my opinion (and for security reasons), I would use a client-side (JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the internet. (or use SSL to encrypt the whole data transfer between client and server) just my 2 cents Gottfried
From: Gottfried Mayer on 19 Oct 2005 07:48 M P wrote: > Hi! > > Thanks for the reply. My question is how do I handle this MD5 algorithm? For > example, I have a login page, how do I use the javascript? > > regards, > Me > > "Gottfried Mayer" <ngs(a)NOOfusedSPAAAM.ch> wrote in message > news:e9m$e7I0FHA.2064(a)TK2MSFTNGP09.phx.gbl... > >>M P wrote: >> >>>Hi! >>> >>>Im planning to encrypt the password that was stored on msaccess database >>>and >>>also the text inputed from a password textbox. Also, if I want to get the >>>password from the database, I need to decrypt it so it can be comparable >>>to >>>the one that is inputed on the textbox. Is there a way on how to handle >>>this? >>> >>>MP >>> >>> >> >>Hi M P, >> >>To store passwords, the one-way or "hash" algorhythms will be the most >>useful to use: >>As the name says, this is a one-way procedure, for example: >> >>Password: mysecretpass >>Hash (example): 28F9E2A118B3 <== Store this in DB >> >>User inputs: mysecretpass >>Calculate Hash: 28F9E2A118B3 >>Compare this to value stored in DB. >> >> >>There are several different hash algorhythms around, the most commonly >>used is called MD5: >>http://www.aspfaq.com/show.asp?id=2397 >> >>The first example on this page is a implementation in JavaScript, this >>ensures that the password is encrypted on the client computer and >>submitted in the encrypted form. >> >> >>HTH >> Gottfried > > > Hi M P, You can read about the JavaScript implementation on this page: http://pajhome.org.uk/crypt/md5/auth.html (it even has a very interesting challange-response example to enhance security further) But basically, it works like this: download md5.js, put it in your web dir. load the JavaScript into the Login page: <script src="md5.js" type="text/javascript"></script> insert the md5 calculation in the onSubmit trigger of your login form: example login form: <form onSubmit="pw.value = hex_md5(pw.value);" name="loginform" action="login.asp" method="post"> User: <input type="text" name="un"><br> Pass: <input type="password" name="pw"><br> <input type="submit" name="submit" value="submit"> </form> On Server-Side, you check the Request("pw") against the value stored in the database (don't forget to clean up the request string first to prevent SQL injection ==> google). This way, only the client knows the plain-text password, every further step is encrypted. HTH Gottfried
From: Roland Hall on 22 Oct 2005 03:48 "Gottfried Mayer" <ngs(a)NOOfusedSPAAAM.ch> wrote in message news:OKBvn5J1FHA.700(a)TK2MSFTNGP10.phx.gbl... : : Although it seems easier to put this all in one place, you might want to : consider this: : : If you do the encryption all server-side, every client will send his/her : password as plain-text over the internet. : : In my opinion (and for security reasons), I would use a client-side : (JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the : internet. (or use SSL to encrypt the whole data transfer between client : and server) I would normally use SSL, as all basic authentication should, but the client-side alternative is a good suggestion. -- Roland Hall /* This information is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. */ Technet Script Center - http://www.microsoft.com/technet/scriptcenter/ WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp MSDN Library - http://msdn.microsoft.com/library/default.asp
First
|
Prev
|
Pages: 1 2 Prev: ScriptEngine threw exception 'C0000005' Next: Create Certificate Error '80070002' |