Flaws in attempt at securely sending post data with PHP

This is my hackish attempt to learn / understand secure(ish) sending of post data. Constructive criticism welcome.

This is just theory, not much code. Also, I'm using PHP's SHA1() in the examples, only because I have put time in understanding its internals. I know theres other (better?) algorithms (example: MD5()) so swap out for your favorite.

1) Server generates a random salt rand(min, max), sends it with the page upon request, computes and 开发者_Go百科stores the SHA1(un:pw:salt) along with the server timestamp of the request (to a database)

1a) Note : salt is sniffable, so assume hacker knows salt (can you un-SHA1() something, to get the SHA1'd data out?)

2) User inputs username and password clicks submit

3) Submit fires a JavaScript function (packed for obfuscation, yeah I know, this does not add true security) that SHA1(un:pw:salt), then posts only that result to the server

3a) Note : encrypted credential is sniffable

4) Server checks that the received credentials match what it stored in the database, and arrive within a timeframe (5 min or so) since the initial request. allow / deny decision is made.

Further requests alter the salt, so even if someone sniffed the encrypted data, it would be useless after a) user makes new page request b) timeframe expires

Thoughts?

Edit: also, assume all the strip tags / SQL hacks / < > etc... injections are dealt with appropriately.

Use https and move on to the next problem!

This is sort of how "Digest" authentication works for HTTP.

If you are interested in learning, read more about the Digest Authentication method.

Digest authentication does prevent a man-in-the-middle from learning the users password. But, it is vulnerable to attacks where the sniffer can alter traffic too. An active attacker can let the user provide the credential, but modify the body of the request as they like.

Also, as you describe things, the server stores the user's password. This is bad. Password based authentication should only store something derived irreversibly from the password.

I recommend that you use SSL and learn how to hash passwords for server-side storage.