Oh, I just see the badge "no view and no answer for a long time" and it bring me back here. I've finally found the answer :
The register is something you do only one time so you can send the hash key without a really good protection. (I mean against sniffing).
So here is the scenario to register :
- Client enter login and password
- Client sends login, hash (sha256(login + password))
- The server store this pair in database (you can cache it in hashmap to increase speed)
Now for the login
- Client : ask for a session salt throught a rest service or hidden field in html page.
- Server : generate the salt from datetime and random and store in session
- Client enter the login and password
- Client javascript hash sha256(sha256(login + password) + salt) and store the pair (login, hash) in the localstorage (html5, be carefull to modernizer or other stuff like this, this pair need to stay private)
- Server check if (sha256(stored_hash_for_login + salt_in_session) == hash received)
- Server : if it's ok store the token shared with the Client
- Client logged in
Now Everytime the client want to make a authenticate request, he will use the following method :
- get the pair (login, token) from localstorage
- generate a hash of is request like this :
- hash_request = sha256(login + sha256(token + timestamp) + sha256(token + paramA) + ...)
- The param need to be in alphabetic order.
The Server receive the request (login, timestamp, params, hash_request), check if the timestamp is not too old and do the generate the hash_request from the token in hashmap for the login and check if it the same. In this way, you avoid the replay (timestamp) and the clear password.