Project

General

Profile

Actions

Bug #16517

closed

Login doesn't works if javascript is disabled with md5 passwords

Added by Christian Toffolo over 17 years ago. Updated over 17 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
felogin
Target version:
-
Start date:
2006-09-01
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

If Javascript is disabled and newloginbox uses md5 passwords no login is possible.

(issue imported from #M4139)

Actions #1

Updated by Stefan Strasser over 17 years ago

That is not a bug, I think it is the same behaviour as with the backend login.

The password You enter at Your workstation is treated by a javascript-md5-function and the resulting hash is then submitted to the server. This way no clear-text password is being submitted. Without javascript this "encryption" won't work.

Actions #2

Updated by Christian Toffolo over 17 years ago

IMHO md5 encryption shoul be made server-side, not by javascript.
We can "constrain" BE users to use a javascript enabled browser, but we cannot do it for FE users cause of many reasons, first of all: usability.
I think javascript shoul always be unobtrusive.

If it is possible, I suggest to switch to a server-side encryption.
Bye!ian.

Actions #3

Updated by Andreas Wolf over 17 years ago

Well, the client-side encryption is the key to a secure submission of the password. It would be highly insecure to send passwords over an unencrypted connection.

What happens on the client is the following:

1) The password ist md5-hashed.
2) The username is prepended and a challenge is appended to the hash from 1).
3) This value is hashed again and then sent to the server.

The server repeats step no. 2 with the encrypted value from the database. So neither the clear-text nor the hashed passwort are sent over the network. The challenge is a md5-hash of the time and some other value, so it is more or less random and not predictable. And it has to be stored on the server, so even if someone knows the hash-value of the password, he would also need a correct challenge - this wouldn't be a problem, but ok...

Actions #4

Updated by Christian Toffolo over 17 years ago

Yes, you're right. I did not consider it the passage of the pass in plain text :S
Thank you!ian.

Actions

Also available in: Atom PDF