Secure logins...

Giganews Newsgroups
Subject: Secure logins...
Posted by:  The Plankmeister (plankmeister_NOSPA…
Date: Sat, 13 Sep 2003

Hi. I reaslise this is possibly considered off-topic, but I want to pick as
many expert brains as possible. Apologies in advance....

I have a form on which I have a username and password box. Then in the
validation function called by the form's onsubmit event, I'm taking the
username and password and generating an MD5 hash (using javascript) from
them, disabling the password box and writing the MD5 hash to a hidden field
on the form and then allowing the form to be submitted. This way, there is
no clear-text password sent across the net, only the username and the MD5
hash of the username/password.

However... I started thinking that it doesn't really matter... The MD5 hash
is sent as clear text anyway. Anyone snooping could just catch the clear
text username and MD5 and they're as good as in. Then I started thinking
about a 'coupon' system, where I would have the server generate a random MD5
hash which it would place in a hidden field in the form. Then, upon
attempting to login, the server would only accept login attempts from coupon
numbers that it's issued... I was thinking this would get around any
possible CSS hacks. But it wouldn't really... Or would it? Am I right in
thinking that if someone were to have already intercepted the clear text
username/MD5 hash sent previously, they would only have to visit the login
page to be issued with a new coupon, which they could then use in
conjunction with the username/MD5 and CSS to get access?

And I've heard that just checking http_referer is pointless because it's
easily forgeable.

So what is a secure method of dealing with non-cross-site scriptable logins?