The JS-SHA1-Login is not a simple "send username + SHA(password)"
It is more a Challenge-handshake authentication protocol!


Oversimplify procedure:

  1. client get a challenge and a salt from the server.
  2. user enters his name and a password.
  3. JavaScript generate a SHA1 hash from password + challenge + salt + nonce
  4. client send username + SHA1 hash to the server

The plaintext password would be not leave the client.
The hash that is sent to the server, is not a simple SHA1(password)!

The detailed procedure explained here: JS-SHA-Login - pseudo code

The procedure works only with Javascript and a AJAX views.
For getting the login form, the challenge and salt we used AJAX (with jQuery).
For building the SHA1, we used the SHA1 JavaScript implementation by Paul Johnston.


JS-SHA1 Login is not really secure in comparison to https! e.g. the client can't validate if he really communicate with the server or with a Man-in-the-middle. JS-SHA1-Login does not protect you against an Session Hijacking

However the used procedure is safer than plain-text authentication. In addition, on the server no plain-text passwords are stored. With the data that are stored on the server, can not be used alone.

If you have https, you can combine it with JS-SHA1 login, similar to combine a digest auth with https.

More information: Warum JS-SHA-Login Sinn macht... (german only, sorry)


Many, if not even all CMS/wiki/forum, used unsecure Login. User name and password send in plaintext over the Internet. A reliable solution offers only https.

The Problem: No Provider offers secured HTTP connection for little money :( We have been thinking, how can we still accomplish a secure authentication.

alternative solutions

  • Digest access authentication (implementation in django exist: django-digest):
    • pro
      • Browser implemented it, so no additional JavaScript needed
    • cons
      • Password hash must be saved on the server, without any salt! The hash can be used for login, because: hash = MD5(username:realm:password)
      • used old MD5 hash