I have completed login functionality using Auth middleware where is used a Bcrypt encryption method. Login functionality is works fine. But we need to handle set password functionality with having old password need to validate. But everytime Bcrypt method change the password string so the previous store bcrypt string of password in table is not match with the manually enter password in the set password form. So how to validate old password field if it will not match with existing saved passoword in the table.
$credentials = request(['email', 'password']);
$user=Auth::attempt($credentials);
You are using Laravel so you should use Hash in order to deal with passwords.
Here is all you need to know about it: https://laravel.com/docs/6.x/hashing#basic-usage
In short you can create and verify the passwords in following ways:
Create hashed password to store in DB:
$hashedPassword = Hash::make($request->password);
Verify against existing password
if (Hash::check('entered-password-by-user', $hashedPassword)) {
// The passwords match...
}
Of course dont forget to include Hash facade: use Illuminate\Support\Facades\Hash;
md5 is ancient and very vulnerable way to go if you want to hash your passwords with it. It is HIGHLY DISCOURAGED!
Related
I am trying to use the Pimcore password datatype. It is working fine and the password is stored as encrypted data.
Now I need to check the correct username and password. I could not match the encrypted password. I want to get the username and password using an API request. If the username and the password is correct then return value.
The password is hashed before it is stored to the database. Have a look at the password class within this path:
pimcore/models/DataObject/ClassDefinition/Data/Password.php
If you want to compare the hashed password within the database then use the functions of the password datatype. The password to compare also has to be hashed.
Have a closer look on the functions calculateHash() and verifyPassword() within the class. You should be able to compare passwords by using those functions.
Here is an example :
$user = User::GetByEmail($email, ['limit' => 1, 'unpublished' => false]);
$classDefinition = ClassDefinition::getById(User::classId());
/** #var \Pimcore\Model\DataObject\ClassDefinition\Data\Password $passwordFieldDefinition */
$passwordFieldDefinition = $classDefinition->getFieldDefinition('password');
$verified = $passwordFieldDefinition->verifyPassword($password, $user, false);
I am working on ATG11.2 , my requirement is as below:
User will click on forgot password button, a link with encoded user id and a temporary password will be sent to email. User will click on the link sent in email and will be redirected to ResetPassword.jsp where he will get an option to fill temporary password which is sent in email, new password and confirm password respectively
I am using ForgotPasswordHandler for this implementation. I have read that forgotpasswordhandler method replaces the password property with the new generated password. Therefore m storing the input box value of temporary password in ProfileFormHandler.value.oldpassword
The values are as below:
Temporary Password :
New Password:
ConfirmPassword
But , when I am debugging handleChangePassword method in ProfileForm it is not able to compare the passwords properly. Please suggest if my approach is correct , or what do I need to override in gmethod if any required.
ATG stores passwords in encrypted format.
You need to store your oldPassword in encrypted format too. The passwords will not be equal unless both the passwords are hashed and are same.
I am using revel to build my webapplication and trying to write authentication module.
I finished with sign up part and now heading to write sign in part.
I read about security part on The definitive guide to form-based website authentication and will use this recommendation.
What I am really do not know is, how sign in works. I am imaging that the process works like this:
User write username and password into the html form and press sign in
Server receive request and the controller will check, if user information match with data on database.
If yes, how continue.
The third point is where I am staying. But I have some idea how could works and not sure, if is the right way.
So when sign in information match with the database, I would set in session object(hash datatype) key value pair signed_in: true. Everytime when the user make a request to the webapplication, that need to be authenticated, I would look in the session object, if signed_in is true or not.
This is the way I would do, but as I mentioned above, I do not know if it is the right way.
Yes like #twotwotwo mentioned, give it the user id and also a role.
So server side rendered flow: Step 1
user sends username (or other identifier) and secret.
using scrypt or bcrypt the secret is checked against the stored salted hash in the database
if it matches you create a struct or a map
serialize struct or map into string (json, msgpack, gob)
encrypt the string with AES https://github.com/gomango/utility/blob/master/crypto.go (for instance). Set a global AES key.
create a unique cookie (or session) identifier (key)
store identifier and raw struct or map in database
send encrypted cookie out (id = encrypted_struct_or_map aka the encrypted string)
On a protected resource (or page): Step 2
read identifier from cookie
check if id exists in db
decode cookie value using AES key
compare values from cookie with stored values
if user.role == "allowed_to_access_this_resource" render page
otherwise http.ResponseWriter.WriteHeader(403) or redirect to login page
Now if you wanted you could also have an application-wide rsa key and before encrypting the cookie value sign the string with the rsa private key (in Step 1). In Step 2 decode with AES key, check if signature valid, then compare content to db stored content.
On any changes you have to update the cookie values (struct/map) and the info in the database.
Using Apache mod_auth_basic and mod_authn_dbd you can authenticate a user by looking up that user's password in the database. I see that working if the password is held in clear, but what if we use a random string as a salt (also stored in the database) then store the hash of the concatenation?
mod_authn_dbd requires you to specify a query to select that password not to decide if the user is authenticated of not. So you cannot use that query to concatenate the user provided password with the salt then compare with the stored hash.
AuthDBDUserRealmQuery "SELECT password FROM authn WHERE user = %s AND realm = %s"
Is there a way to make this work?
Looking at the Password Formats for Basic Auth it seemed that I could make this work if the hash is done using the apr_md5_encode function.
Found another question that relates to this and links to a Java implementation. I used that implementation with a small change to calculate the database hash inside my website normal user-creation flow. After this i could use mod_authn_dbd with this query:
AuthDBDUserRealmQuery "SELECT CONCAT('$apr1$',password_salt,'$',password_hash) FROM users WHERE user = %s AND realm = %s"
this is my code, it works, except for the passwords, how would I fix this? I know I should do something with md5 but I couldn't get found solutions to work with my code. I really need to make this right and safe, please assist
//get the posted values
$username=htmlspecialchars($_POST['user_name'],ENT_QUOTES);
$password=htmlspecialchars($_POST['password'],ENT_QUOTES);
$check_for_username = $mysqli->query("SELECT username FROM q4jli_users WHERE username='$username' AND password=MD5('$password')");
if (mysqli_num_rows($check_for_username)) {
echo "yes";
} else {
echo "no";
}
Thanks in advance
MD5 is outdated and no longer a sufficient method of password encryption. You should investigate salted hashes using more modern encryption algorithims.
food for thought:
bcrypt
First of all, you need to make sure that a user's password is encrypted into the database with MD5. If not, then you can use this code:
$mysqli->query("INSERT INTO q4jli_users (username, password) VALUES ('$username', MD5('$password'))");
Then, when seeing if a user enters the correct password, you need to encrypt it to MD5 and then run a query in the database:
$check_for_username = $mysqli->query("SELECT username FROM q4jli_users WHERE username='$username' AND password=MD5('$password')");