How to sign a web form and validate the signature

banzinho

Hi !!!

I'm facing a project where I need to verify that the person who is filling and submiting a form vía web, is the real person who says it is in the login (and that way he can not reject a transaction with his signature). Well i've been searching and I think that digitally signing "something" before the submit could help.

I need some help, if someone has faced this problem, if PHP is a good technology, or I need to blend with an applet to sign the form, and validate in PHP the signature, is there some standard in the industry to do that, please if someone can show me the light on this...

Thank you very much in advance....

Regards
Banzinho

tucker

banzinho wrote:
Hi !!!

I'm facing a project where I need to verify that the person who is filling and submiting a form vía web, is the real person who says it is in the login (and that way he can not reject a transaction with his signature). Well i've been searching and I think that digitally signing "something" before the submit could help.

I need some help, if someone has faced this problem, if PHP is a good technology, or I need to blend with an applet to sign the form, and validate in PHP the signature, is there some standard in the industry to do that, please if someone can show me the light on this...

Thank you very much in advance....

Regards
Banzinho

What do you mean by signing? If you mean actually signing a name then I have no idea how to do that...you would probably have to use an applet.

-tucker-

_theworks

Hi,
Interesting Idea...
well...
if by signing you mean signing your signature with a mouse :queasy:

you would either need to use flash or a applet to do the signature as PHP scripts are executed server-side and dont provide that sort of functionallity.

you would then have to save the signature as some sort of bitmap and confirm that its the same as older 1's (in a db?)

im really not sure on this and i know that if I was asked to sign for somthing with a mouse it would be hard to get it EXACTLY the same each time and it would become frustrating...

Botkiller

What you could try to get quite validate information is the use of IP information, when someone registers the IP address will be saved to a database and when someone wants to use the form it checks if the IP addresses are identical. However you get problems with people who don't have a static ip address or when someone tries to log in from somewhere else.

Any other way? I don't know

banzinho

Thank you all for answering, when I say signing, I mean digitial signature, with a private and public key, it's a complex way to work around my problem, but maybe the most secure, but I need a very simple way, because the users in the project are in a very low level in computer knowledge.

The IP is a good idea too, but the good thing of signing is that every person has a private key, so many people can use the same computer...

There's another ideas?

Thank you very much for helping me!!!

Bazinho

_theworks

IP addresses change regularly and if the user is on a proxy they share the same IP as all the other users of the proxy...

you could use cookies, slightly more secure but still they can be deleted by the user
easily.

how secure is this supposed to be? why dont you just create a login script?

Tea_J

i say a rather simple login script and session functions would do the trick..

that digital signiture you're talking about.. unless you mean using encryption keys, then you have to go with SSL way.. but when you say foreign and private key, i think password plus session id is rock solid already.

banzinho

Thanks for answering, well the system i'm developing needs ultra high security, we're using SSL to encript the info, login scripts to enter the site, and digital signatures to provide security that no one but the holder of the "key" will be able to put transactions on the system with his id.

This is very usefull when you give services to people that need something important to trust you.

Normally, SSL gives the customer confidence to buy on that site, but nothing gives confidence to the site to sell to that guy, so we are trying to trust both parties.

Thanks for the help, I'll keep searching!

Banzinho

Botkiller

maybe you can make a login script and hash the username+password together. Put that in a database and when they sign that form let them enter their username and password. Hash the entered values and check in the database if they're the same.

Perhaps you can use a passphrase to and combine that with the username+password hash.