an image of some pajamas!

pajamas..

php and javascript advanced md5 authentication system

The connexion between "pajamas", which is an acronym for "php and javascript advanced md5 authentication system" and an actual pair of "Pyjamas" is that when you feel secure, you sleep better. Of course the words sound identical, too.

pajamas began as an attempt to create a more secure login using client-side hashing, which is one-way encryption, and as a demonstration, mainly for other web-coders, to two enormous security holes in all-too-common existence..

The first exists when folk use "public" browsers. Often the username and password are stored on the machine, and can be re-used, even by accident, by other members of the public. Clearly this presents a problem, and one which, for some reason, most people like to forget and/or ignore. Probably, like me, they realized it would need to be done with JavaScript, and then ran in the opposite direction.

The second hole is more obvious, and that is the plain text password travelling freely across the wires. This one has received more worldwide attention, but it's still ignored in most php web applications. There are literally hundreds of articles out there describing how to store a user's password using all manner of weird and wonderful algorithms, to protect it from "unauthorised database access", or "unauthorised server access", and yet still expecting the password to arrive in plain text. GUYS!

If your database isn't secure you are in trouble. Same for your filesystem. These are places over which you have control. The place where you certainly don't have control, ever, is the internet. And the moment that packet of data leaves the user's presumably safe environment it's fair game. Its contents could be stored on any one of the many nodes between server and client, dubious proxy "servers" could scan it, on poorly configured servers (most) passwords will show up on other server's referrer logs, etc. There it is, your plain-text password, travelling around the internet in a bundle of other useful plain text information, like the URL of the so-called secure login page, probably your username. No! This is insane!

pajamas takes an entirely different approach. The password is securely hashed before being sent over the wires. Now, not only is interception no longer a problem (it's impossible to retrieve the password from the hash in the given time-frame, even a very much longer time-frame), but public browsers can't save or cache it, either*, being a one-shot mish-mash of your password and some random generated string. Each time you login, it's completely different.

With pajamas, the only places the password ever exists in the clear are in your presumably secure server environment, and the presumably secure user's brain. This password is only protecting access to this server's content; ergo, breaching the web server breaches the user's "protected" data, anyway. To my reckoning, it would be considerably more difficult to compromise a modern web server and get root, than it is to search some log for the phrase "password".

Which strategy is best? You decide.

Since its birth back in 2004, pajamas spent quite a long time lying fairly dormant, yet working away quietly in the background as a highly useful authentication script. More recently, pajamas has grown into a rather neat modular authentication system, and the old "pj" module has essentially become one of its plug-ins. There's also a "plain" plugin that retains many of the good features of pj, but without the client-side hashing, for situations where JavaScript isn't available (On The Moon, maybe!). pj's client-side hashing is made possible with the excellent JavaScript functions provided by Paul Johnston's javascript MD5 code.

You can enjoy my wee "protected" image gallery, and try-out pajamas at the same time, here.
If you'd like to ask questions, give feedback, enlighten me, etc, you can do that at the bottom.

There is also a sha1 pajamas plug-in called "shaggie", which is currently available only inside my other packages (e.g. the distro machine), feel free to download and play around with it; get back to me if you find any issues, thanks.

Here's the current pajamas code..
(of course, most of the good stuff is inside the modules!)

have fun!

;o) Cor


references:
At least, this is the expected behaviour - currently, as far as I know, Opera saves the *typed* password, rather than the *sent* password, effectively defeating all forms of client-side password hashing strategy, dudes! - I've figured out a way around this, by the way, which will hopefully hit the code stage for my upcoming "shaggie" pajamas module. Take it easy!

Welcome to the comments facility!


previous comments (five pages)   show all comments

Will - 01.03.10 3:09 am

A bit of a newb question, but I got here from a google search on htpasswd.

Is there any way to protect a Directory using pajamas, the way you would with .htaccess+.htpasswd?

The readme was a little more technical than my level. Thx!



cor - 04.03.10 3:14 pm

Yes, simply drop the whole lot into the directory you want to protect - or else put it elsewhere on your site and set that path in the preferences inside pajamas.

Remember to set the name of the main pajamas page to your default document (usually index.php or similar). That way, whenever someone enters that directory, they always get pajamas, and not a directory listing.

Download the zip. The examples in the demo folder (inside the pajamas zip) should get you started. Open the simple demo (simple.php) in a text editor. It's basically this..

<?php
include 'inc/pajamas/pajamas.php';
$auth = new pajamasSimple('wadeva');

if (
$auth->auth_user()) {
    
// Authorised here
} else {
    
// not authorised here.
}
?>


With that simple code you can protect anything (well, web resources!).

;o) Cor

ps. depending on the contents of the directory, you may want to opt for something with more features. Check out the distro machine, which includes pajamas.


drifter - 09.05.10 1:23 am

hi cor

i spent quite some time on your website today, checking out all of the interesting stuff you have here.

as far as pajamas is concerned:

I played with the demo and was browsing the images after authenticating. whilst clicking on the second image (instead of enlarging) it showed me the login screen again and i had to login again to continue.

after the last image (i still read the text under the image and gave it a good look for at least 30 seconds i would guess because my dog has now discovered fishing too), then logged out with the supplied button. It told me i must not hammer the site. could that be true?!

i then walked away from my pc for about 4 hours to do some other stuff. when i came back i clicked back several times to see where i was and it took me through all the stages as described above (i.e. pic4->pic3->login->pic2->pic1->login). i only thought about it later that it was not supposed to let me back in to see the images... or was it?!

i try to remember where i comment in case the people need more info of what i am on about, and i will surely come back to your site again, but i might miss this page totally. i find it a bit difficult to surf it due to that fairly cryptic image menu at the top. i initially came here from Google for the htaccess stuff, and when i tried to find it again later from your homepage as starting point it took quite some time.

thanks

drifter


Bobby - 20.06.10 2:35 am

Hi, I downloaded pajamas and am using the simple style... Even though I changed the password in the following variable directive in pajamas.php
var $_login_password = 'newpassword';
it still uses the old password, which is just password. Is there any place else that I need to change the password? Thanks!


cor - 20.06.10 2:47 am

I know; the readme is a bit lengthy. The bit you want goes like this..

When you run in "simple" mode, because you cannot override the module's built-in preferences, you will need to ensure that they are correct for your installation, and if need be, alter them inside the *module* itself


So do that, and you'll be okay.

;o) Cor


Bobby - 20.06.10 3:18 am

aah.. my bad.. thanks for a prompt response... i love the stuff u've created... looking at ur website, I can tell that you must be hell of a guy.. cheers !!!


Chris - 11.02.11 4:06 pm

I am a designer and lecturer living in London, teaching at Barnet Schools of Creative Industry, currently researching publising a source book for businesses and anyone seeking to set up online and market their product or services. Part of it covers designers and illustrators: http://www.neasdencontrolcentre.com/ http://www.bibliothequedesign.com/ to name a few.

I am planning format for ipad books. I wanted to know if you would me us to use your comments and credit you with links for the work on security online.

The info you wrote was outstanding on sit security.

Look forward to hearing from you.

Christopher

So long as you give credit where it's due, you and anyone who wants to can copy whatever bits they like from corz.org. Have fun! ;o) Cor



Donserdal - 15.03.11 12:37 am

Well im using Pajamas and disto machine Thanks works create!!

Cheers! ;o) Cor



DY - 20.03.11 10:57 am

Great script, thanks a lot!

I did kind of tear all the nice bits apart, and re-frankensteined it to a single file... but methods are still the same.

Do you have any examples to connect it to a database? I am working on my own implementation get a MySQL connection with multiple users, rights, statistics, etc... If you happen to have a bit a script that might be a pointer in the right direction, it'd be nice to have a look at.

Again; thanks a lot!

Regards,

DY

It's not something I've looked into, but I'm sure whatever code you produce would be useful to other pajamas users; do feel free to share back. ;o) Cor



DY - 04.04.11 7:24 pm

For the record; I am still working on it.

Currently, it is up&running fine (as it seems...), I will now do some testing, cleaning the code up and making it ready to publish.

Some features I added are;
- sha512 rather than MD5 (yep, I got inspired by your Shaggie)
- multiple hash turns (decoding hashes is to easy these days)
- multi-user/multi-pass (ofc)
- permissions (only the very, very basics of it)
- double hash turns; first 250 hashes, then the random/changing code is added, then it is hashed again 250 times, then it is sent&compared
This improves security for a database; if your DB will be stolen, thieves will only steal your hashes...

I am rather busy atm, but I'll contact you as soon as I'm done; I have no interest in spreading it, but you'll be free to do with it as you like (which includes spreading it).


BM - 13.06.11 5:55 pm

@DY:

Do you already have a working example with MYSQL?
I'm interested in your code for my own website.

See here. ;o) Cor



First, confirm that you are human by entering the code you see..

(if you find the code difficult to decipher, click it for a new one!)


Enter the 5-digit code this text sounds like :

lower-case ee, Upper-Case You, sicks, lower-case vee, Upper-Case En


 

Welcome to corz.org!

I'm always messing around with the back-end.. See a bug? Wait a minute and try again. Still see a bug? Mail Me!