MD5 Encryption using Progress

MD5 is a one way hashing algorithm which means that once you encode a string with it, it is virtually impossible to decrypt it due to the vast amounts of computing power that would be necessary to do so. It is useful to WebSpeed programmers in that it can provide a fairly secure method of logging in without any third party plugins or having to use browser authentication. Paul Johnston has also written a JavaScript version of MD5 available at http://pajhome.org.uk/crypt/md5/ and he has explained MD5 a lot better than I could.

Using the combination of the JavaScript implementation and my Progress version you could provide a basic authentication routine along the lines of:

WebSpeed provides a logon screen and sends a unique number to the client.

The client concatenates the password and the unique number together and encodes them (using the JavaScript).

The client sends the username as clear text and the encoded password/unique number to the server.

The server encodes the stored password for the user along with unique number it originally sent and compares the result with the one sent by the client.

The server then passes back another unique "session" key which is passed back and forth and used to identify the user in subsequent web pages.

The purpose of the initial unique number is so that someone monitoring the network traffic cannot capture the username and encoded password and simply replay the original logon process. In my application I have also stored the original IP address that started the session in order to prevent anyone monitoring the session key sent back from the server and using it to bypass the login screen.

Click here for the Progress source code or here for the JavaScript implementation.

Home