readme.md5_passwords

PHPLOB注释详细版 使用模板技术的好帮手 PHP最有用的东东了

MD5 Patches - Version 0.1 (1999-01-29)

This release includes support for MD5-hashed password storage, as opposed
to cleartext.  

To get started, you'll need to change all your authentication classes
/ page_open's to something like that in Example_Challenge_Crypt_Auth (see
local.inc).

You will also need to create the auth_user_md5 table.  I've decided
to use a different table than auth_user to allow for some things that
aren't necessarily compatible and so you can play around until making
the big switch.  There's a MySQL script to create the table, it's
stuff/create_auth_md5.mysql.  The script creates the kris/test account
as well.

I've included a ultra-simple PHP script to migrate your old password
table to the new one by hashing the passwords.  That's in
stuff/migrate_to_md5.php3.  You'd best copy it to wherever you keep
your other PHP3 scripts, and run it after setting up PHPLIB.  It was
written for MySQL, but it's generic enough to probably run anywhere
you need to.

The new challenge-response login page is php/crcloginform.ihtml.  You
might want to modify it to look more like your site.

I've hacked the new_user.php3 into a MD5-storage-compliant version
that doesn't send your password in cleartext along the wire.  The new
version is in pages/admin/new_user_md5.php3.

I do not claim that this in invulnerable to attack.  In fact, I can
think of one right now.  When you change your password, the MD5-hash
of your PW is transmitted down the wire.  An enterprising cracker could
manage to fake a login form and supply the page with the MD5-hashed
password, which would then authenticate them.  This is bad.  If you
need security you should consider running SSL or no webserver at all.

I looked into public-key encrypting the form response when changing
passwords.  Doing pk encryption in JavaScript looks like it is going
to be extremely painful or very weak encryption (or both).  My plan
for 0.2 is to have a Java class to do the encryption and to perhaps
make a PHP C extension to decrypt the message.  

Please let me know what you think, and changes/fixes/corrections are
appreciated!

Good luck,

Jim
<jim@jimz.com>