Customize login form and security issue with login form
we have made a website in umbra-co version4.7.1 and we placed this
website to one Security counseling firm for checking a security of our
website.according to their guideline they provided us eith two issues which are
listed bellow:-
1) The lo-gin ID and password between server and client is passed
in clear text. It is possible for a malicious user to sniff into the
network and access the user id and password.
2) Run time errors are displayed to the user.
and they have provided me a solution for that but i can't manage to do that by myself because i lacks theumbra co knowledge
which are as follows:-
1)
The
user-id and password should be encrypted while being transmitted over
the network. Changing the application protocol from HTTP to HTTPS would
mitigate this problem. Using HTTPS would transmit all the traffic
between user and server in encrypted format
In addition, the solution is to implement: a)Salted MD5 technique in „authentication or lo-gin module and b)MD5 hash technique in „change password and „reset password modules. The
pr-requisite to this is that the back-end database stores a MD5 hash of
the password. (MD5 hash is a cryptographic technique in which the
actual value can never be recovered.) . Here is how the salted MD5
technique works:
When a client requests for the lo-gin page, the server generates a
random number, the salt, and sends it to the client along with the page.
A JavaScript code on the client computes the MD5 hash of the password
entered by the user. It then concatenates the salt to the hash and
re-computes the MD5 hash. This result is then sent to the server. The
server picks the hash of the password from its database, concatenates
the salt and computes the MD5 hash. If the user entered the correct
password these two hashes should match. The server compares the two and
if they match, the user is authenticated.
2)
The input that the server receives from the user can
lead to malicious code entering the server. Similarly, the output shown
to the user can transmit malicious code to the client system. All user
input and output should be checked to ensure it is both appropriate and
expected. Input validation should be done on the client-side as well as
on the server-side.
So Please Help me out on the above topics as soon as possible.
I look forward to hear from you regarding this issue. Please contact
me on 9930201030 if you need further clarification.
Customize login form and security issue with login form
we have made a website in umbra-co version4.7.1 and we placed this website to one Security counseling firm for checking a security of our website.according to their guideline they provided us eith two issues which are listed bellow:-
1) The lo-gin ID and password between server and client is passed in clear text. It is possible for a malicious user to sniff into the network and access the user id and password.
2) Run time errors are displayed to the user.
and they have provided me a solution for that but i can't manage to do that by myself because i lacks theumbra co knowledge
which are as follows:-
1)
The user-id and password should be encrypted while being transmitted over the network. Changing the application protocol from HTTP to HTTPS would mitigate this problem. Using HTTPS would transmit all the traffic between user and server in encrypted format
In addition, the solution is to implement:
a)Salted MD5 technique in „authentication or lo-gin module and
b)MD5 hash technique in „change password and „reset password
modules.
The pr-requisite to this is that the back-end database stores a MD5 hash of the password. (MD5 hash is a cryptographic technique in which the actual value can never be recovered.) . Here is how the salted MD5 technique works:
When a client requests for the lo-gin page, the server generates a random number, the salt, and sends it to the client along with the page. A JavaScript code on the client computes the MD5 hash of the password entered by the user. It then concatenates the salt to the hash and re-computes the MD5 hash. This result is then sent to the server. The server picks the hash of the password from its database, concatenates the salt and computes the MD5 hash. If the user entered the correct password these two hashes should match. The server compares the two and if they match, the user is authenticated.
2)
The input that the server receives from the user can lead to malicious code entering the server. Similarly, the output shown to the user can transmit malicious code to the client system. All user input and output should be checked to ensure it is both appropriate and expected. Input validation should be done on the client-side as well as on the server-side.
So Please Help me out on the above topics as soon as possible.
I look forward to hear from you regarding this issue. Please contact me on 9930201030 if you need further clarification.
Thank you for your time and consideration.
is working on a reply...
This forum is in read-only mode while we transition to the new forum.
You can continue this topic on the new forum by tapping the "Continue discussion" link below.