So I implemented my ideas for secure login over http. Here’s the actual client-side code:
function(){
$.getJSON(
edu.ua.lib.inferRelative('./u/logon/' + document.log_on.name.value + '/'
+ MD5( edu.ua.lib.salt + MD5(document.log_on.password.value) ) ),
function(data){
if( data.error != '0' ){
$('#log_on_feedback').slideDown( 1000 ).text('Log on FAILED');
} else {
$('#log_on_feedback').slideUp( 1000 );
$('#logged_on_as').text('Logged on as ' + data.user);
$('#log_on_ui').slideUp( 1000 );
$('#log_off_ui').slideDown( 1000 );
if( data.admin == 'yes' ){
$('#admin_menu').slideDown( 1000 );
} else {
$('#admin_menu').hide();
}
}
}
);
}
The dependencies are jQuery 1.3+ and an MD5 function written in JavaScript (of which I found several). Note that the code above implements an AJAX (well AJAjson) login with in-page feedback and modeless UI rebuild after successful login. It could be even simpler. Of the code above, exactly one line handles the security portion, the rest is UI. Also note that the server-side is even simpler, since it doesn’t do any UI stuff. The key bit is:
$user = $db->simple_search('user', 'name', strtolower($params[2]));
if( count( $user ) != 1 ){
echo $bad_login_attempt; // always give identical feedback for failed attempts
} elseif( md5( $_SESSION['salt'] . $user[0]['password_hash'] ) == $params[3] ){
$_SESSION['logged_in'] = true;
... // snip highly specific stuff
} else {
echo $bad_login_attempt;
}
The server provides the same feedback for all failure modes, and generates a random salt per session which is included inside the master JavaScript object (edu.ua.lib) which handles the UI (it’s probably not a very good random salt, but this isn’t intended or expected to stop the NSA).