 | | | Flash authentication without database | Flash authentication without database
2004-02-22 - By martin weiser
Back
if you use PHP, why not sessions, if you save password in text file, that 's
security flaw, and if you use http to sent passwords not encoded that 's bad
as well, IMHO..
there are some class for flash MD5, use that, to generate hash from
password, and work with that hash, save it in txt, and in future compare
hash to hash to authenticate user, but anyway, password in txt isn;t good
idea, use sessions or cookies at least, but either way use md5...
mw
-- -- Original Message -- --
From: "Dominico Savio " <dominicosavio@(protected) >
To: <flashcoders@(protected) >
Sent: Sunday, February 22, 2004 9:48 PM
Subject: RE: [Flashcoders] Flash authentication without database
> after Jim 's email, I did it this way.
>
> 1. place a text file, containing passwork, username, expiration date
outsite
> the root folder
> 2. using Flash interface sending username & password (which user enters)
to
> php script.
> 3. PHP read the text file, and check for username & password, then send
back
> the info to Flash
>
> and this is my PHP script:
>
> <?php
> // Read in the data that Flash sent over.
> $username = $_POST[ 'varU '];
> $password = $_POST[ 'varP '];
> $today = strtotime(date( 'Y-m-d ' ));
>
> $filename = "../user.txt ";
> $fp = fopen($filename, "r ");
> $file_contents = fread($fp, filesize($filename));
> fclose($fp);
>
> $line = explode( "\n ", $file_contents);
> $i = 0;
> while($i <= sizeof($line)) {
> $data_pair = explode( ": ", $line[$i]);
> // try to find a match, assign value of 1 to $auth and break out of the
> loop
> if (($data_pair[0] == "$username ") && ($data_pair[1] == "$password ") &&
> ($today < strtotime($data_pair[2]))) {
> $auth = 1;
> $url = $data_pair[3];
> break;
> } else {
> $auth = 0;
> }
> $i++;
> }
> if ($auth == "1 ") {
> echo "authorized=true&url= ".$url. "&check=done ";
> exit;
> } else {
> echo "authorized=false&check=done ";
> exit;
> }
> ? >
>
> Is this way secure enough? Is there any security hole?
>
> PS: thank you Jim for the code.
>
> -- --Original Message-- --
> From: martin weiser [mailto:weiser.m@(protected)]
> Sent: Sunday, February 22, 2004 4:24 AM
> To: flashcoders@(protected)
> Subject: Re: [Flashcoders] Flash authentication without database
>
>
> hmm, and how to compare crypted pass, with input pass ?
>
> when .htaccess can handle crypted password by sevreal algorythms, even
their
> combinations (crypt() + md5 + base64encode())
>
> martin
>
>
> -- -- Original Message -- --
> From: "Jim Cheng " <jim@(protected) >
> To: <flashcoders@(protected) >
> Sent: Sunday, February 22, 2004 3:42 AM
> Subject: Re: [Flashcoders] Flash authentication without database
>
>
> > Dominico Savio wrote:
> >
> > > Is there a way to build a Flash authentication without using a
> database???
> >
> > Certainly! The entire reason for the existence of databases
> > is for quick access to very large numbers of records. If
> > you don 't need to authenticate too many users against their
> > passwords (perhaps under a thousand unique users), you can
> > just use a plain text file to store their names and passwords
> >
> > The Unix passwd system and many web servers do just this for
> > their built-in access control. You 'd then only need some
> > server-side script that 'll communicate with Flash, scan the
> > file and authenticate their password against what 's listed
> > for that user in the file (typically a hash for security
> > reasons).
> >
> > If you 're using Apache, you even do this with just .htaccess
> > and .htpasswd files in a local directory without having to
> > go through scripting to limit user access to certain files.
> >
> > Jim
> >
> > =-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
> > Supported by Fig Leaf Software
> > =-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
> > Be sure to check the archives and the wiki:
> > http://chattyfig.figleaf.com/
> > =-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
> > http://chattyfig.figleaf.com/cgi-bin/ezmlm-cgi?1:mss:104910
> > =-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
> > To unsubscribe send a blank e-mail to:
> > Normal Mode: flashcoders-unsubscribe@(protected)
> > Digest Mode: flashcoders-digest-unsubscrive@(protected)
> >
> >
> >
> > __ ____ __ Informacia od NOD32 1.561 (20031121) __ ____ __
> >
> > Tato sprava bola preverena antivirusovym systemom NOD32.
> > http://www.eset.sk
> >
> >
>
>
> =-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
> Supported by Fig Leaf Software
> =-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
> Be sure to check the archives and the wiki:
> http://chattyfig.figleaf.com/
> =-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
> http://chattyfig.figleaf.com/cgi-bin/ezmlm-cgi?1:mss:104919
> =-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
> To unsubscribe send a blank e-mail to:
> Normal Mode: flashcoders-unsubscribe@(protected)
> Digest Mode: flashcoders-digest-unsubscrive@(protected)
>
>
> =-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
> Supported by Fig Leaf Software
> =-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
> Be sure to check the archives and the wiki:
> http://chattyfig.figleaf.com/
> =-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
> http://chattyfig.figleaf.com/cgi-bin/ezmlm-cgi?1:mss:104924
> =-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
> To unsubscribe send a blank e-mail to:
> Normal Mode: flashcoders-unsubscribe@(protected)
> Digest Mode: flashcoders-digest-unsubscrive@(protected)
>
>
>
> __ ____ __ Informacia od NOD32 1.561 (20031121) __ ____ __
>
> Tato sprava bola preverena antivirusovym systemom NOD32.
> http://www.eset.sk
>
>
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
Supported by Fig Leaf Software
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
Be sure to check the archives and the wiki:
http://chattyfig.figleaf.com/
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
http://chattyfig.figleaf.com/cgi-bin/ezmlm-cgi?1:mss:104925
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
To unsubscribe send a blank e-mail to:
Normal Mode: flashcoders-unsubscribe@(protected)
Digest Mode: flashcoders-digest-unsubscrive@(protected)
|
|
|