DNN 1.0.10c Core Enhancement: implement MD5 secured login without SSL
Features: Will provide MD5 secured login without SSL enabled.
Download Link: http://www.softtalk.com.sg/md5login.zip
Why this is needed: Hackers can sniff your connection for outgoing packets. If your password is in clean text, your site can be easily hacked as DNN's admin is purely web based.
What does this MD5 login do: it basically encrypts your password with a salt generated from server before sending to server for authentication. So even if someone is sniffing your connection, he will get an encrypted string (with salt!). According to today's computing power, it is not possible to decrypt the string.
Credits: This enhancement uses the Javascript from Paj (http://pajhome.org.uk/crypt/md5/), Sql UDF from Rambo Qian.
Changes:
- signin.aspx: add javascript function hashPassword(), add ref to Paj's MD5 javascript.
- signin.aspx.vb: create salt, pass salt to Security.UserLogin().
- Security.vb: Change UserLogin function to accept one more optional parameter "Salt"
- Stored Procedure "UserLogin": change to accept one more parameter "Salt", change the login logic to process clean login and encrypt login.
- create UDF MD5 in MS SQL database.
Install:
- unzip the download file
- run MD5.udf.sql in QA
- modify your UserLogin stored procedure with UserLogin.sp.sql
- modify the 3 files accordingly
- add md5.js into "/javascript" folder
Enjoy DNN!
Regards,
Timothy MO (mojiazho@{}{NO___SP+++AM}{}yahoo.com)
---
Timothy