Ragnarok: Back End Tutorial

Please note the following before using this tutorial:

  • This tutorial was designed for PHP, but can equally be designed in any server-side scripting language.
  • The server must have perl installed and the language must have the privileges and access to an system execution function.
  • For use of the module, it is required to have the used modules installed.
  • The code has been created to never output single quotes, so single quotes are the safest way to encase the encrypted text.
  • Use temporary session-only cookies for optimal security.
  • Use the Ragnarok Encryption image to show that you are using the Ragnarok module, downloadable here (also please consider implementing all of our security precautions).
Also, if you use Bakmiup, Ragnarok is used by default in the Login page.

The Form

The simplest way to design the form is by using a table with two objects: a username field, a password field, and a submit button. This can be formatted, designed, or modified in any way, but this is the minimum information required.

PHP

It is important to validate the input given from the user as to prevent hacking attempts. The next thing that needs to be done is to create two variables, one representing the Ragnarok encrypted username and the proof. Use the module to get both encrypted fields. Note the following commands as ways to activate Ragnarok and store it's returned values:

$encrypted_username = shell_exec(escapeshellcmd('perl Ragnarok.pm --generate=upass --username="' . $original_username . '" --password="' . $p . '" --returnusername'));

$encrypted_proof = shell_exec(escapeshellcmd('perl Ragnarok.pm --generate=upass --username="' . $original_username . '" --password="' . $original_password . '"'));

It is recommended to use the function escapeshellcmd for extra security. Check to see if that information is successfully retrieved from a database.

Validation

If the username and password were a successful combination to gain access to the site, two cookies will be used to store the user's information temporarily. The first cookie will contain the username. This username is the obtained by requesting the variable that contained the text that the user entered into the username field of the login form. The next piece of information that will want to be stored in a temporary cookie is the encrypted username. This cookie will be used to make sure that the user is authenticated on all pages of the site.

Updating Passwords and Upgrading the Encryption

Updating a Password or upgrading the encryption alters both the username proof code and the password proof codes stored in the database. To update a password, check to make sure their old username password combination are valid and then re-encrypt the username and password with the latest encryption algorithm. The same principal applies to upgrading encryption. Make sure that the encryption is valid for the version of Ragnarok then re-encrypt using the latest version. Another column in a database along with the username and password proof codes should be kept as to know with what version the username and password was encrypted. One could make a login hook that checked the Ragnarok version and, if the version were not up to date with the current Ragnarok module, this could be rectified. Note, this requires users to login before their proof codes can be updated...because the server doesn't actually know what their usernames and passwords are.

Comments

Topic revision: r1 - 2014-12-14 - ZachBornheimer
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback