News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

SMF Login Password

Started by jriani, May 14, 2017, 08:08:38 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

jriani

May 14, 2017, 08:08:38 PM
How is a users password sent over the wire? Is there a Javascript SHA1 implementation that sends the password hashed? Or does hashing and concating with salt happen on server only?

Colin

#1
May 14, 2017, 08:13:09 PM
It is hashed client side.

Code Select

function hashLoginPassword(doForm, cur_session_id)
{
// Compatibility.
if (cur_session_id == null)
cur_session_id = smf_session_id;

if (typeof(hex_sha1) == 'undefined')
return;
// Are they using an email address?
if (doForm.user.value.indexOf('@') != -1)
return;

// Unless the browser is Opera, the password will not save properly.
if (!('opera' in window))
doForm.passwrd.autocomplete = 'off';

doForm.hash_passwrd.value = hex_sha1(hex_sha1(doForm.user.value.php_to8bit().php_strtolower() + doForm.passwrd.value.php_to8bit()) + cur_session_id);

// It looks nicer to fill it with asterisks, but Firefox will try to save that.
if (is_ff != -1)
doForm.passwrd.value = '';
else
doForm.passwrd.value = doForm.passwrd.value.replace(/./g, '*');
}
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

Arantor

#2
May 15, 2017, 02:51:40 AM
You can send it over the wire bare though SSL strongly recommended for such things.
Print
Go Up Pages1
User actions
Advertisement: