javascript

Login With Password Remembered

login with password remembered

With password remembered, the password must be encrypted in some way and stored in the cookie, actually there’s 3 cookies in header when user browser request for certification. $.cookie('cn')- username $.cookie('ct')- time stamp last login $.cookie('ctoken')- encrypted password or some other info required to be certificated by server

Then we know ctoken is important, there’s problem- how to ensure the password is not cracked by hackers, below is a way to do some calculation like or with two strings.

Think about this: if we just simply encrypt the password with MD5, sha1… and store in browser, is that safe? Maybe, but the most keys are cracked with md5, or sha1…, so we should encrypt it with some more complicate way:

1
2
3
4
5
6
7
8
9
10
11

 var user = $.trim($("#username").val());
 var pass = $.trim($("#password").val());
 var sk = new Date().getTime().toString();
 $.cookie('cn', user, { expires: 7, path: '/' });
 $.cookie('ck', sk, { expires: 7, path: '/' });
 var phash = CryptoJS.MD5(pass).toString();
 var cthash = CryptoJS.MD5(user + sk + phash).toString();

 var token = xorString(phash, cthash);
 $.cookie('token', token, { expires: 7, path: '/' });
 //then request the server for validation

what’s xorString, it creates a token for server validation. The xorString gets two params - phash which is the password encrypted in MD5, another is cthash which is the username + timestamp + MD5(password) encrypted in MD5. We can see the xorString is handling the two strings in a special way. What will it?

1
2
3
4
5
6
7
8

        var hex = "0123456789abcdef";
        var xorString = function (str, key) {
            var rs = "";
            for (var i = 0; i < str.length; i++) {
                rs += hex[hex.indexOf(str[i]) ^ hex.indexOf(key[i])];
            }
            return rs;
        };

It’s easy, just a or operation with each MD5 result, it’s an MD5 result again, but not the result of password. And although others know the token is some or result. It’s nearly impossible for them to crack it.

Of course, we can calculate the right token easily in the server side. Here’s a version of C#:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

    private static string StringXor(string str, byte[] key)
    {
        for (var i = 0; i < key.Length; i++)
        {
            key[i] = (byte)(Convert.ToByte(str.Substring(i * 2, 2), 16) ^ key[i]);
        }
        return BitConverter.ToString(key).Replace("-", "").ToLower();
    }
  private bool auth() {
      string cn = "";
      string ct = "";
      string token = "";

      string password = "" //select from the db
      byte[] cctoken;
                using (var md5 = MD5.Create())
                {
                    cctoken = md5.ComputeHash(Encoding.ASCII.GetBytes(cn + ct + password));
                }
                return token.Equals(StringXor(password, cctoken)) ? true : false;
}

We can store the ‘password’ safely in the browser.