pajamas..
php and javascript advanced md5 authentication system
The connexion between "pajamas", which is an acronym for "php and javascript advanced md5 authentication system" and an actual pair of "Pyjamas" is that when you feel secure, you sleep better. Of course the words sound identical, too.pajamas began as an attempt to create a more secure login using client-side hashing, which is one-way encryption, and as a demonstration, mainly for other web-coders, to two enormous security holes in all-too-common existence..
The first exists when folk use "public" browsers. Often the username and password are stored on the machine, and can be re-used, even by accident, by other members of the public. Clearly this presents a problem, and one which, for some reason, most people like to forget and/or ignore. Probably, like me, they realized it would need to be done with JavaScript, and then ran in the opposite direction.
The second hole is more obvious, and that is the plain text password travelling freely across the wires. This one has received more worldwide attention, but it's still ignored in most php web applications. There are literally hundreds of articles out there describing how to store a user's password using all manner of weird and wonderful algorithms, to protect it from "unauthorised database access", or "unauthorised server access", and yet still expecting the password to arrive in plain text. GUYS!
If your database isn't secure you are in trouble. Same for your filesystem. These are places over which you have control. The place where you certainly don't have control, ever, is the internet. And the moment that packet of data leaves the user's presumably safe environment it's fair game. Its contents could be stored on any one of the many nodes between server and client, dubious proxy "servers" could scan it, on poorly configured servers (most) passwords will show up on other server's referrer logs, etc. There it is, your plain-text password, travelling around the internet in a bundle of other useful plain text information, like the URL of the so-called secure login page, probably your username. No! This is insane!
pajamas takes an entirely different approach. The password is securely hashed before being sent over the wires. Now, not only is interception no longer a problem (it's impossible to retrieve the password from the hash in the given time-frame, even a very much longer time-frame), but public browsers can't save or cache it, either*, being a one-shot mish-mash of your password and some random generated string. Each time you login, it's completely different.
With pajamas, the only places the password ever exists in the clear are in your presumably secure server environment, and the presumably secure user's brain. This password is only protecting access to this server's content; ergo, breaching the web server breaches the user's "protected" data, anyway. To my reckoning, it would be considerably more difficult to compromise a modern web server and get root, than it is to search some log for the phrase "password".
Which strategy is best? You decide.
Since its birth back in 2004, pajamas spent quite a long time lying fairly dormant, yet working away quietly in the background as a highly useful authentication script. More recently, pajamas has grown into a rather neat modular authentication system, and the old "pj" module has essentially become one of its plug-ins. There's also a "plain" plugin that retains many of the good features of pj, but without the client-side hashing, for situations where JavaScript isn't available (On The Moon, maybe!). pj's client-side hashing is made possible with the excellent JavaScript functions provided by Paul Johnston's javascript MD5 code.
You can enjoy my wee "protected" image gallery, and try-out pajamas at the same time, here.
If you'd like to ask questions, give feedback, enlighten me, etc, you can do that at the bottom.
There is also a sha1 pajamas plug-in called "shaggie", which is currently available only inside my other packages (e.g. the distro machine), feel free to download and play around with it; get back to me if you find any issues, thanks.
have fun!
;o)
(or
references:
At least, this is the expected behaviour - currently, as far as I know, Opera saves the *typed* password, rather than the *sent* password, effectively defeating all forms of client-side password hashing strategy, dudes! - I've figured out a way around this, by the way, which will hopefully hit the code stage for my upcoming "shaggie" pajamas module. Take it easy!
[site notice]
Don't you want to click the world's largest PayPal button?
Don't you want to click the world's largest PayPal button?
random word from corzblog: well
llew :golbzroc morf drow modnar
© 2009 « corz.org » 17.7.09 speedy gonzales timer say this page generated in 0.024 seconds
very nice! thx.
Hey, this PHP login doesn't seem to work for me; can you send me a .zip file of one. Maybe that would be easyier to copy then that code has well. Me email is
hacker-helper@gmail.com
Thank you, also if anyone is any good with javascript then I would like on of those; either if fine.
My server can support it so don't think that is what it is either, If anyone else needs some help I can give it just E-Mail me. KK
You spotted the zip download link at the top of the page, yeah?
And Javascript is a browser thing, so long as your server supports php (>=v4.2) pajamas will run just fine, after that, it's their problem!
;o)
(or
hmm, why don't you use onSubmit instead of onClick handler? It should resolve the click 'log in' issue, atleast to my knowledge
Hmm. sounds good. I'll try that sometime. Thanks.
But then, it's only Internet Explorer users that suffer, and they do that anyway!
;o)
(or
Maybe I missed this, but there's still a bit of a problem with this... that is, how to create the password in the first place. If you already know it, that's wonderful, but is there any way for a user to create a password and send it to the server for the first time without doing it in plain text?
Nope, Dane, this isn't a mechanism for creating passwords, just for authentication. There are possibly other ways to do that, but it's not something I've ever needed, or looked at. Sorree.
;o)
(or
ps.. sami, onsubmit doesn't seem to make any difference in IE. I'll maybe have another fiddle later.
Observant sorts may have noticed that earlier today I uploaded the new "pajamas modular authentication system", which is pajamas taken to the next level.
pajamas.php becomes a module-loader-authentication-engine-thing, and the old "pj" is now effectively a plug-in, works great. Everything is pure xhtml 1.0 strict, and with help from PCheese, 100% OOP! I expect oop-ness to start sneaking into my other php, it's certainly an intuitive way work the code.
Though I have tested it out fairly thoroughly, and am using it right now elsewhere, I expect bugs, and bug reports are most welcome. Feel free to play around with the demos (links at the top) and download the pajamas package, which comes with two plug-in modules "pj" and "plain", as well as the pajamas demos, example code, etc. Check out the readme for more details. You can also view the source right here.
Thanks for all the input so far, here and by mail, hopefully the new system will be all that was hoped for and more.
for now..
;o)
(or
ps.. when I first uploaded the whole lot here to corz.org, the "simple" interface demo didn't work, kept telling me the password was wrong when it wasn't. Then I remembered about the phpsuexec here at my host, added a few local php.ini files (whose only session directive is session.use_trans_sid = 0). All is suddenly well! Hmm. Any thoughts on would be appreciated.
By the way, although there's not an official release, as such; if you grab the latest version of my distro machine, you get a pajamas installation with a SHA-1 module. It also outputs strict XHTML, which I don't think the current release does.
I'll put together a new pajamas distro proper in the near future.
By the way; here at corz.org, apart from the comments, pajamas controls all my authentication, and I pretty much have a site-wide login, which is real nice.
;o)
(or
Corz, I cam here via this page:
foruforums.invisionpower.com/index.php?showtopic=181089&mode=linearplus
It says that pajamas is only "obscuring" the password. Is this true?
Best.
Ryan.
Heh, no.
Either the poster a) didn't look at the code, or b) didn't understand it.
Whether you can see the "random number" is irrelevant. Firstly, pajamas uses many criteria to judge whether a particular user is authenticated or not, and secondly, even if someone had access to some as-yet-uninvented computer that could find a collision within a reasonable time-frame, it would be ABSOLUTELY NO USE TO THEM. It became out-of-date the instant it was received. Which is kind of the whole point.
Also, there's a SHA1 plugin, so even our theoretical computer wouldn't help!
;o)
(or
ps. I've been using pajamas on-site, for all my admin authentication, ever since it was first created, and with 100% success.
What stops someone reverse-engineering your system by looking at the source code of the page?
"The only "weakness" with the current pajamas implementation is that your password is visible to someone if they have access to your raw filesystem, and if they have that, no amount of authentication will stop them getting your goodies, will it? pajamas isn't designed to protect you from unscrupulous hosting admins!"
And what happens when a cracker accesses your raw filesystem via URL injection?
What stops someone reverse-engineering your system by looking at the source code of the page?
You can even look at the source code for the pajamas package itself; it won't help you reverse engineer anything; there's nothing to reverse-engineer, MD5/SHA1/etc. are one-way cryptographic functions. The code is already well-known.
And what happens when a cracker accesses your raw filesystem via URL injection?
My first response to this is.. stop talking nonsense! However, you may know something I don't; so if you tell me exactly how this attack is crafted, and how you could access my raw file system with it, I may amend my response.
;o)
(or
ps. I've uploaded a file /inc/db/.ht_secrets - please use your attack and tell me the password contained in that file. Cheers!
um, a bit of help please? When ever I use the PJ theme (which is the one that I want to use) it won't work
I'm just trying to get this to work were I have some users working on a tutorials page.
Thanks,
Frosty
PS. I Also have a copy of PHPBB and it works how it was supposed to. A "needed stuff" page similar to phpbb's would be helpful
I don't know what a standard installation is, if such a thing even exists, and without more in the way of real error messages, your pj troubles are also a mystery to me.
Feel free to mail me whole screeds of log output, php error messages, copies of pj, between now and when I wake up, tomorrow. If there's only a single error message, or a small amount of useful data, drop it here.
I didn't realize there was "needed stuff" for pajamas, aside from basic php4+. But there may well be. Again, more details welcome.
You've seen the readme link at the top of the page, right?
;o)
(or
ps. iirc, the latest pajamas release, currently, is inside the distro machine beta (elsewhere onsite), there are differences that may affect how the old release demo works, but pj itself works great. check the implementation in the distro machine beta.
There seems to be a bug with PAJAMAS on this system I'm using. It doesn't work on my own site where I've implemented it, and even your demo doesn't work. I don't know the details of the system I'm on, but I can give you the UserAgent value:
Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9) Gecko/2008061004 Firefox/3.0
If you can't get even the demo to work on your site, there is clearly something very wrong. You user agent string probably has nothing to do with it. Check your php error log and note any related errors, post them here. You might also want to download debug-report.php, which will spit out all sort of useful information, let you know if php sessions are working correctly and more.
You can get that here.
Also, does the demo work for you here at corz.org? If not, it's possible there's something up with your browser.
;o)
(or
That's just the thing. I have PAJAMAS working just fine on my site. It works on every browser I've tried. The demo here on corz.org also works in every browser.
The problem that I was pointing out was only related to that specific system I was on the other night. I was in a classroom and I was trying to show PAJAMAS to a web development professor at my school. PAJAMAS didn't work on the computer that I was using (which is why I posted the UserAgent information), and I figured you should know what browser and OS I was using so that you could replicate the problem and see if you could figure out what was wrong (or you might know if there is a potential compatibility issue between MacOSX w/Firefox 3 and your script).
I'll tell you what, though. Next time I go into that classroom (which isn't often since I don't actually have any classes in there), I'll set up a test page for PAJAMAS on my site, and I'll unmask the password to see if there is an issue that stands out right away. I'll also try using one of the alternative javascript-based md5 scripts out there in cyberland.
It's amazing how little feedback I get about pajamas, yet I keep coming across it, and recommendations for it, all over the place. No one ever thinks to mail me and say, "Hey! I got pajamas working on X server v0.x, works great. Thanks!", or anything like that. What I mean is, good to hear, ta.
As to the issue on that machine, were there any specific errors? I've noticed hits in my error log recently with FF3 looking for resources in totally the wrong place; I must check if it was on OSX, perhaps the combo has issues. Probably more useful than unmasking the password (if it changes length, the javascript part is probably working fine, probably), would be to have a peek at the session variables. See exactly what's been stored.
The debug script I mentioned in my previous post is excellent for this. I also have a session viewer script kicking around (it's not available for download (at least until I can get around to doing a safe online demo version - it has a drop-down of all available sessions, very handy)) mail me if you want a copy.
I'm curious, why were you showing to the professor? You can tell how feedback-starved I am about pj!
Another thing you might want to try is the sha1 module. I don't think it ever made it to an official pj release, but there will be a copy inside the most recent distro machine download, for sure, and elsewhere onsite.
Lastly, if other md5 scripts can slot into pajamas, that's something I'd be keen to know about! But any data you have is useful. Cheers!
;o)
(or
This sounds neat. However, how do you get around the problem presented by G Funk?
" Re: Response to G Funk
-----------------------------------------
Well G Funk, it's a mind-bender, that's for sure!
At first glance it seems reasonable to store the password as an MD5 on the server, but in reality, all we have done is replaced the password with an MD5 of itself. In other words, you could authenticate by simply knowing the MD5, just as easily as you can by knowing the actual password.
When I first put pajamas together, I wrestled with this for some time! "
For this to work you would need to md5 a random string along with the password. But them how do you get the server to know what that is?
This is where PKI comes useful. Client uses server public key to create the hash, server opens hash with private key, etc.
I believe I already answered that.
;o)
(or
leave a comment, become part of this site!
First, confirm that you are human by entering the code you see..
(if you find it difficult to read, refresh the page for a new code)
lower-case aye, Upper-Case Ex, s-heaven, lower-case ay, Upper-Case Pee