0

I am working on a sign in form using jQuery / CodeIgniter and was wondering if it would be possible to do something like so:

  1. When the user clicks Sign In it sends a request via AJAX to get a value key (set using CodeIgniter flashdata).
  2. Once it has the key, it hashes the password with SHA256, then encodes the hashed password with the key from the AJAX request.
  3. After this, it sends the username / encoded and hashed password to the server, where it is then decoded, salted, re-hashed and checked against the stored password in the database.

Obviously, since the AJAX request will be sent almost at the same time as the login request, there will be a check for this too before attempting to log the user in.

Basically, I want to know if there is a consistent way to do key-based encoding/decoding in JavaScript and PHP, and if so, how to do it.

Improve this question
5
  • 1
    see this stackoverflow.com/questions/7909288/… Commented May 20, 2012 at 12:47
  • I had thought about that but then I would have the problem of not knowing the un-encoded string which I need for checking the value in the database Commented May 20, 2012 at 12:55
  • If you are doing this to prevent someone from eavesdropping on the connection and getting the password it won't work. If they get the key coming to the browser they can use your own javascript to see how your encoding it and then mimic whatever you do. Commented May 20, 2012 at 13:03
  • it was more along the lines of "make it a little more difficult" to be honest, which is all you really can do without SSL. I'm making a demonstration of different approaches, strengths and weaknesses and if I just went 'SSL is the only way to go' it wouldn't be much of a demonstration! Commented May 20, 2012 at 13:30
  • @AndrewWillis Gotcha well as for this method if you google javascript sha1 or md5 there is some code available to do the conversion. Commented May 20, 2012 at 18:14

1 Answer 1

Reset to default
0

CodeIgniter has an Encryption Class that can be used for encoding and decoding the data:

$msg = 'My secret message';
$key = 'super-secret-key';
$encrypted_string = $this->encrypt->encode($msg, $key);

$encrypted_string = 'APANtByIGI1BpVXZTJgcsAG8GZl8pdwwa84';
$plaintext_string = $this->encrypt->decode($encrypted_string);
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

I knew this would come up, now how do I encode the string in JavaScript? I need to get the key from PHP, then encode it in JavaScript and decode it in PHP
unfortunately there is no built-in encryption or decryption function in javascript, because encrypting the data on client side is a security risk, you should use a customized function in order to encrypt and decrypt the data: webmasters.am/blog/string-encryption-decryption/javascript/2010/…
Oh, that's unfortunate! I'm going to have to write a plugin for JavaScript and PHP to do this! It'd probably be less stressful to just get a SSL Certificate!
@AndrewWillis you really can't replace the security of SSL this way so if you need encryption that's the way to go.
Yeah, it was basically just a test to see if it worked and was possible rather than a ultra-secure, universal answer to the packet-sniffer problem!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.