|
 |
||||||
|
Part 1: The Theory Part 2: The Setup Part 3: Requesting the Token Part 4: Logging In Part 5: Conclusion Tutorial source files |
||||||
|
 |
||||||
|
|
|
Part 1: The Theory One of the main problems with authenticating over a network is that unless a secure connection is set up between the user's web browser and the web server, the user's password is open to anyone with the right tools to see. The trick to dealing with this situation is what's called a one-way cryptographic hash. It is somewhat akin to encrypting the password before sending it, except that the encryption is designed to only go one way - information is thrown away during the process which can not be recovered. The encoded password can then be sent across a network with the knowledge that even if it is intercepted, the password can not be deciphered. Once the server has received the plaintext username and the encoded password, it does a lookup on the username to find that user's password. It then applies the same encoding to its own copy of that user's password, and compares the two encodings. If the encoded versions of the two passwords match, the original passwords must also match. To further augment security, a random string is chosen that is appended to the password before encoding on both the client side and the server side. The process is illustrated in the following figure.  Figure 1: Authentication over a network
|