Session authentication verifies that the login page was created by the server and the user response is within 30 seconds of the login page request. The login response hash is the MD5-encrypted user name/password hash combined with the unique session ID, ie, it's unique and it can't simply be re-presented to the server for authorization. The latest release supports file-level locking of the session database; this ensures that only one valid session response is possible. Thanks to Ashish Desai for help on this.
How This Application Works
Hash-based authentication methods work via a challenge-response mechanism. The server sends a random challenge. The client combines the random challenge with the password, and computes a one-way hash. The client sends the hash to the server, which performs the same computation. If the client's supplied hash matches the servers computed hash, the authentication succeeds.
I'm not a security expert by any means, and so I'm not qualified to say exactly how safe/unsafe this scheme is. Judge for yourself, I'd be curious to hear what you think.
Note that this module does NOT provide security agains eavesdropping or hijacking. A positive identification can be followed by an attacker stealing the connection. This scheme is also open to a man-in-the-middle type attack. Also, the cookie itself could be sniffed, which allows an authentication bypass. So my summary is that this is not SSL strength solution, but it's better than using .htaccess or other methods that transmit the name/password information as plain text.
I don't have time to work on this code right now, so hack away if you have any other ideas to improve it. Another thing that would be cool: an email-based admin approval scheme for new users.
Install Notes This can be difficult to install because of file permission issues. Often it doesn't work because the .db files can't be read AND written by the web server process. The debug messages aren't clear, and there isn't much documentation for debugging. If you don't know Perl and unix filesystems well, you might get stuck...
August 2nd, 2002:Version 0.21: Lock code was integrated into the LoginMD5.pm module to make installation easier.
July 31st, 2002:Version 0.20 Changes: I figured out that the sessionID can be forced to be unique; now only one response is possible for each session ID, and by locking the database file (with unix flock()) this ensures only one correct authentication response is possible per sessionID. The session ID is now randomly generated (with a new algorithm using Perl rand()). For stronger randomization of the session ID, the Perl CPAN module Math::Random::MT can be enabled in LoginMD5.pm (at line 170). Other changes: there are now both a 'addUser.pl' and 'removeUser.pl' command line utilities.
July 12th, 2002:Now uses a cookie to maintain the user session as valid (for 1 day, by default).
July 6th, 2002: I just released a working prototype that can be downloaded from SourceForge. Any feedback/bug reports would be appreciated.