I can indeed coordinate with the web developer. I have a couple follow up clarifications if you could (see code with a *** in front of it that needs clarification).


To create and save credentials, you initially should:

input userName ( min 4 chars )
input password ( min 8 chars )

initHash = sha256( password + UserName )

Server:

receives from the new client:

-UserName
-initHash

then calculate:

dbSalt = guid()
dbHash = sha256( initHash+ dbSalt )

*** I assume the "DB" in the next line is the server side database, correct?

Save on your DB:

userName
dbHash
dbSalt

*** what gets returned to the client at this point? or is there something returned?

( dbSalt is used as protection against brute force and dictionary attacks in case someone gains access to the table )

Now your server has all it needs to authenticate the user ( see there's no password anywhere )

Later, to access the service, you enter the login page or endpoint and request access for the "userName ";
the server looks for the userName and answers, creating a string, ( the nonce ) wich at least includes information about the call number ,
date-time and a random or secret string:

randomString = sys(2015) && for simplicity of this example

And returns it to the client along with the dbsalt for that user:

-randomString
-dbSalt

client then repeats:

initHash = sha256(password+userName)
dbHash = sha256( initHash + dbSalt )
sessionHash = sha256( dbHash + randomString )

and just sends sessionHash

Server just compares it with the server side calculated one for that challenge.

this is the basic explanation, but should help you get on track for https://tools.ietf.org/html/rfc7616

*** I tried to follow it through and my brain is foggy: is there anything passed above that a man in the middle attack could grab and impersonate the client?

Thanks a lot.
Albert