DokuWiki

It's better when it's simple

User Tools

Site Tools

Trace:
plugin:securelogin

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
plugin:securelogin [2014-09-22 23:32] casperplugin:securelogin [2018-05-28 21:45] – [Download and Installation] Klap-in
Line 1: Line 1:
-====== securelogin plugin ======+====== SecureLogin Plugin ======
  
 ---- plugin ---- ---- plugin ----
-description: This plugin let you login securely without HTTPS.+description: This plugin encrypts submitted passwords, giving you and your users an extra layer of security.
 author     : Mikhail I. Izmestev, Matt Bagley author     : Mikhail I. Izmestev, Matt Bagley
 email      : securelogin@mattfiddles.com email      : securelogin@mattfiddles.com
 type       : admin, action type       : admin, action
-lastupdate : 2014-04-17 +lastupdate : 2018-02-17 
-compatible : 2009-03-12+, rincewind, angua, Adora Belle, Weatherwax, Binky, Ponder Stibbons+compatible : 2009-03-12+, rincewind, angua, Adora Belle, Weatherwax, Binky, Ponder Stibbons, Hrun, Detritus, Elenor Of Tsort, Frusterick Manners
 depends    :  depends    : 
 conflicts  conflicts 
Line 21: Line 21:
 ===== Description ===== ===== Description =====
  
-//The download location has changed to https://github.com/bagley/dokuwiki-securelogin/tarball/master For it to work on Weatherwax/Binky you need at least version 2014-04-17.//+This plugin uses [[http://www-cs-students.stanford.edu/~tjw/jsbn/|Tom Wu's implementation of RSA algorithm in JavaScript]] on the client to encrypt the login password with the server's public key. The encrypted password is then sent to the server where it can be decrypted. Man-in-the-middle attacks are prevented by using a variable token (salt) added to the password before encrypting. Therefore, replay attacks don't work.
  
-This plugin uses [[http://www-cs-students.stanford.edu/~tjw/jsbn/|Tom Wu's implementation of RSA algorithm in JavaScript]] on the client to encrypt the password with the servers public keyThe passwords are sent encrypted over HTTP. No need for HTTPS. Man-in-the-middle attacks are prevented by using a variable token (salt) added to the password before encryptingThereforereplay attacks don't work.+When securelogin is used, there is always a //use securelogin// checkbox near the password fieldIf the browser has no JavaScript or JavaScript is disabled, then obviously, the passwords are sent in clear text, as they are by default with DokuWikiIn this case thoughthe user //should// notice the absence of the checkbox.
  
-With version 20091213 and + , whenever a password has to be entered, it is automagically encrypted by this plugin, be it on the +----
-//login//, //profile// or //admin// page.+
  
-securelogin version 20091206 and + is compatible with the [[:plugin:showlogin|showlogin]] plugin. +Alsowhenever a password has to be entered, it is automagically encrypted by this pluginbe it on the //login//, //profile// or //admin// page.
- +
-When securelogin is usedthere is always //use securelogin// checkbox near the password field. If the browser has no JavaScript or JavaScript is disabled, then obviously, the passwords are sent in clear text, as they are by default with DokuWiki. In this case though, the user will notice the absence of the checkbox.+
  
 +securelogin version 20091206 and + is compatible with the [[:plugin:showlogin|showlogin]] plugin.
  
 ===== Download and Installation ===== ===== Download and Installation =====
  
-  - Download and install the plugin using the [[plugin:plugin|Plugin Manager]], please use the download link given above. Refer to [[:Plugins]] on how to install plugins manually.+  - Search and install the plugin using the [[plugin:extension|Extension Manager]]. Refer to [[:Plugins]] on how to install plugins manually. For manual installation, please refer to [[:Plugins]].
   - Go the admin pages and select //securelogin//. Then click on the ''generate-new-key'' button.   - Go the admin pages and select //securelogin//. Then click on the ''generate-new-key'' button.
   - You're done. From then on, all passwords are encrypted before being sent.   - You're done. From then on, all passwords are encrypted before being sent.
 +
 +===== How it works =====
 +
 +Normally when you submit your 'MySecretPa$$word', you will see it in the data transfer (using wireshark, tcpdump, developer tools, etc):
 +
 +<code>
 +id:start
 +do:login
 +u:MyUser
 +p:MySecretPa$$word
 +</code>
 +
 +You can easily see the 'MySecretPa$$word' in the above example.
 +
 +But when you use this plugin, it will encrypt the password, which can only be decrypted on the server.
 +
 +<code>
 +id:start
 +do:login
 +u:MyUser
 +p:******
 +use_securelogin:1
 +securelogin:M66YMHFzjl9qXa96zr2JzDWlV3WTE+4mOgJZNNr3yW9xPzSORtSIjp+ZNczopNUp5N0M0ASiqutgf1nio+iTNj3pS24kHD1LZb6GcG7cFvpr/uzfxJsO8jAbFD6/ZkB0xy9vBMabn3BYP7GWLrTR3b/7zNdla/FdqjX9U48dHMrcO2/ZFJKLsdzt84/bC+3xoV7/qC/BZO5AbQ37SvLEC7DaMTMtbSqlF573Y0iOMb3wYe1rj2m/HQiBM8ro25OBfnUxmgJFMVVkfkLdNUepRjUeeJSXF+R5XDcO2L4uX9D8AOE8nSecRn+0gqwz6PzPPqEpv60y0Io1rZXevG+I9Q==
 +</code>
 +
 +The javascript on the page takes the form's password variable `p=MySecretPa$$word`, encrypts it with the provided salt (changed on every page load), and sets the result as `securelogin`. It also replaces `p`'s value with stars so it can't submit the password in the clear. 
 +
 +When the server receives the data, it sees that `use_securelogin` is set to `1` (true), so it knows the password was encrypted. It will decrypt the `securelogin` variable and separate it from the salt value. From this it gets the `p=MySecretPa$$word` value, which it sets so the Dokuwiki authentication routines have it. Dokuwiki can then compare the passwords like it normally does.
 +
 +This same process happens during the add user, modify user, and edit profile options. This is what will be seen if someone views a user changing their password (with this plugin active):
 +
 +<code>
 +do:profile
 +fullname:MyUser
 +email:user@example.com
 +newpass:******
 +passchk:******
 +oldpass:******
 +use_securelogin:1
 +securelogin:mCUIwYbHRgNjmAkr1CHssH8g1ZAgGKIxsFsMZUN1XM703V2g4hB5upzfJeVyE/aT9ByOYxQChbhRyJezjD7jO4LKwlgBR/Jnqkr+rUr70MLcoRybM8maTGdAGDM3VweSylqAGOASKb87hKYb0URUFo+yfGaKp572IWCfSZDHLrP1Hrs/f7EYKXozXpMNHA3l/VXNm2wGAwvkvnfFgkRZonrdfdUlLDC0OkBpa3WawMqoYb+1/kcuGsBcAve0Tp+uMQZw8FwHj8SOp9kJLUnEqXrop2pXa3mc9j8NS54CeCbJuJ0qfEhUHIE9/BHUgbmCPQV6XNWttZbRp8r1Q1dG/g==
 +</code>
 +
 +In this case, all three passwords are encrypted into `securelogin`, and the post values replaced with stars.
  
 ===== Changes ===== ===== Changes =====
 +  * **20180217** Thanks to [[https://github.com/jaller94|Christian Paul]] for reporting
 +    * Fixed issue where second password was not encrypted on add/modify users
 + 
 +  * **20150928** Thanks to Satoshi Sahara
 +    * compatible with DokuWiki 2015-08-10 "Detritus"
 +    * replace deprecated split() function call
 +    * prevent PHP error output
 +    * use PHP5 constructor method for classes
 +    * Improved coding style and added license header in source files
 +
 +  * **20140923** Thanks to Hideaki Sawada
 +    * Japanese language files added
 +
   * **20140417**   * **20140417**
-    * Changed download link per [[izmmishao5@gmail.com|Mikhail I. Izmestev's]] [[http://github.com/izmmisha/dokuwiki-securelogin/pull/1|request]]+    * Changed download link per [[izmmishao5@gmail.com|Mikhail I. Izmestev's]] [[https://github.com/izmmisha/dokuwiki-securelogin/pull/1|request]]
     * Updates to plugin info in admin page, like the website link and more unified info.     * Updates to plugin info in admin page, like the website link and more unified info.
  
Line 72: Line 126:
     * fix problem with URL-rewrite DokuWiki method     * fix problem with URL-rewrite DokuWiki method
     * add French translation     * add French translation
 +
 +For support for these older versions (if you really need outdated software) use https://github.com/bagley/dokuwiki-securelogin/archive/c1f0a0e018cedfd29a48ab157098efe480e37049.zip
 +  * 2014-05-05 "Ponder Stibbons"
 +  * 2013-12-08 "Binky"
 +  * 2013-05-10a Weatherwax
 +  * 2012-10-13 Adora Belle
  
 ===== Comments ===== ===== Comments =====
plugin/securelogin.txt · Last modified: 2023-10-30 23:29 by Klap-in
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki

Global DokuWiki Links