I am using a small cakephp setup, with no forgot password functionality. I want to be able to create a hashed password, using the same security hashing method and cipherseed used in the site.
Is there a way to recreate the setup in a local php file which would output a hashed password, the system would understand?
Make sure to specify that you're using the Security Component in whatever controller you're working in:
var $components = array('Security');
Then, in the action (method/function...whatever):
$myPassword = 'pizzaRules!';
$hashedPassword = Security::hash($myPassword, null, true);
The true at the end says you want to use the site's salt.
Related
i'm new to php and cakephp, i was following the Simple Authentication and Authorization Application tutorial from cakephp (http://book.cakephp.org/2.0/en/tutorials-and-examples/blog-auth-example/auth.html). All seem to working good.
I'm add a email confirmation to activate the account when a user subscribe. In the tutorial the password is using the blowfishpassword hasher. And i'm using it as a token in the link for the confirmation.
but i can't seem to be able to compare the link token with the password in the database...
$passwordHasher = new BlowfishPasswordHasher();
$motdepasse = $this->data['Utilisateur']['mot_passe'] = $passwordHasher->hash(
$this->data['Utilisateur']['mot_passe']
);
$link = array('controller'=>'utilisateurs','action'=>'activate',$this->Utilisateur->id
.'-'. $motdepasse);
public function activate($token) {
$token = explode('-',$token);
$user = $this->Utilisateur->find('first',array(
'conditions' => array('id' => $token[0],'Utilisateur.mot_passe' => Security::hash($token[1], 'blowfish', 'Utilisateur.mot_passe'))
));
debug($user);
debug($token[1]);
die();
}
Can you help me? thanks guys!
First of all you shouldn't send the password hash around, no matter how safe the hash possibly might be, confirmation tokens should be generated separately! Simply store it in an extra column or in a separate table.
That being said, in your activate() method you are hashing the hash again, which, in case the hash would actually be generated, would cause the comparison to fail. However the script won't genereate a hash, as you are using an invalid salt value which should result in the following warning:
Invalid salt: Utilisateur.mot_passe for blowfish Please visit http://www.php.net/crypt and read the appropriate section for building blowfish salts.
and Security::hash() will return an empty string. If you don't get such a message, then you'll need to enable the debug mode.
I'd suggest to get familiar with PHP, CakePHP, hashing and stuff first before you try to implement security related functionality!
You may want to check out https://github.com/CakeDC/users, it supports email verification and lot more out of the box.
In CakePHP config.php the salt is blank '' , so during saving password which mechanism cakephp use to produce password?
Which core file contains that procedure to generate hashed/md5 password?
I think it uses something like Security::hash(password);
If you search for ".salt" in the core files you should be able to find out that it is used in several places like so:
$check = Security::hash(serialize($fieldList) . $unlocked . Configure::read('Security.salt'));
(SecurityComponent)
and so:
$this->key = Configure::read('Security.salt');
(CookieComponent)
So an empty salt would simply have the affect of "no salt" for saving passwords.
although this can have sideeffects with cookies. An empty key might cause trouble.
Why would you want to omit the salt here, anyway?
I have built a login form but not a sign up form so i am putting the users details directly into the sql database.
I have found out that cakephp automatically hashes the password when the user tries to login, but at the moment I cant login because the password in the database is not hashed.
how does cakephp hash the passwords?
My security salt is Dhhfei38fhDg37dg6Dg208Dh3h380Hrjd3
Could you please walk me through what it does?
Hashed passwords in cakephp are created by:
$hashedPasswords = Security::hash($yourPass, NULL, true);
Check the cakephp manual for more info
debug(AuthComponent::password("your-password"));
That's if you are hashing your password this way inside your UserModel.
public function beforeSave() {
if (isset($this->data[$this->alias]['password'])) {
$this->data[$this->alias]['password'] = AuthComponent::password($this->data[$this->alias]['password']);
}
return true;
}
http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#hashing-passwords
Add a new user with a password. You can take the hash value of the new user's password and paste it into other user's records.
As of Cakephp 2.0, Cake only hashes passwords in the login process,
on other places (like register-method...), the password won't be hashed automatically, that's because it was considered a strange behaviour to people who where new to cakephp.
If you want to hash the password, you need to use the method Sudhir mentioned.
One of the advantages that cake does not hash passwords automatically anymore is, that you can more easily check the password complexity ( if there are included special characters, numbers, letters ecc).
According to How to – password hashing in cakephp: "Security::hash takes the type sha1."
I have forgot password feature in my cakephp application. The function for this will request the email address, find this user, generate a new password, convert it to sha1 and save it to the database, emailing the contents to the user.
Anyway I am having issues, the generated sha1 password is different to the one being saved.
I have called the info to the screen to show what is happening:
TEMP PASSWORD- lHQcVp4 (FROM THE FUNCTION)
Blockquote
SHA1 PASSWORD- 0ee4ae757733f458b9e395a8457c2ef307af99f0 (FROM sha1($user['User']['tmp_password']);
Auth Password PASSWORD- 93df9bd251620d0634235c22f4ab6fe9ad5421f4 (FROM: $this->Auth->password($user['User']['tmp_password']);)
DB Record After Save PASSWORD- 13ef648db45cc62b593c3943646806af06846016 (FROM $this->User->field('password');)
I am saving the data as follows: $this->User->save($user, false)
Why would it come though differently all 3 times? I cannot work it out. Very strange.
Thankyou
sha1($user['User']['tmp_password']
This will simply hash the password and output the text
$this->Auth->password($user['User']['tmp_password']);
This hashes the password with the cakephp salt defined in core.php. This is why you see a difference
If you simply set the password value to $user['User']['password'] and call save() on it, Auth might be hashing the password again since it doesn't know you've already hashed it. Have you tried just setting the password to $user['User']['password'] and calling save() on it? Let Auth handle the hashing for you.
I'm trying to authenticate against the user db of my website (CMS based) and it uses a slightly different approach at storing hashed passwords. It uses a randomly generated salt for each user. The salt is stored in the user db along with the hashed passwords. Hence, direct field-mapped authentication (as the External DB plugin does) won't work for me.
To start off, I just mirrored the DB plugin and modified the user_login() procedure to read the hashed password and the salt from the database and then hash the entered password again with the salt and match it up with the password in the database. Here's the code for my user_login() function
function user_login($username, $password) {
global $CFG;
$textlib = textlib_get_instance();
$extusername = $textlib->convert(stripslashes($username), 'utf-8', $this->config->extencoding);
$extpassword = $textlib->convert(stripslashes($password), 'utf-8', $this->config->extencoding);
$authdb = $this->db_init();
// normal case: use external db for passwords
// Get user data
$sql = "SELECT
*
FROM {$this->config->table}
WHERE {$this->config->fielduser} = '".$this->ext_addslashes($extusername)."' ";
$authdb->SetFetchMode(ADODB_FETCH_ASSOC);
// No DB Connection
if ( !$rs = $authdb->Execute( $sql ) ) {
$authdb->Close();
print_error('auth_dbcantconnect','auth');
return false;
}
// No records returned
if( $rs->EOF ) {
$rs->Close();
$authdb->Close();
return false;
}
// Get password
$db_password = $rs->fields['user_password'];
$salt = $rs->fields['user_salt'];
// Close DB Conn
$rs->Close();
$authdb->Close();
// Return match
return sha1( $extpassword . $salt ) == $db_password;
}
But when I try to login, username / passwords corresponding to the website (CMS) database are failing. However, the password (for the same user) that was stored in Moodle earlier on (before I tried using this custom plugin) is getting me through.
That means, either my authentication routine is failing or moodle's internal db based auth mechanism is taking precedence over it.
I've enabled ADODB debug mode - but that isn't helping either. When I enable the debug output from Server settings, the error messages are being sent prior to the page headers. Thus the login page won't display at all.
I have all other forms of authentication turned off (except for Manual which can't be turned off) and my own.
Any ideas on how to solve this issue?
Can you confirm the order that the authentication pluggins are displayed? This will determine the order in which they are used. See..
http://docs.moodle.org/en/Manage_authentication
Either way, the behaviour you're seeing suggests that your code is returning false and the fall through logic described here...
http://moodle.org/mod/forum/discuss.php?d=102070
... and here...
http://docs.moodle.org/en/Development:Authentication_plugins
... is kicking in.
Have you tried returning "true" always from your plugin to ensure that it's being called. Then, you can start returning "true" based upon other things (hard coded usernames etc). This approach will allow you to get to the point where you are either continuing to fail or seeing more targetted failures. Are you sure, for example, that it's the user_login function and not the subsequent call to update_user_record that is failing?
Finally, are you sure you're generating the salted password in the exact same way that it was created in the first place? This would be, for me, the most likely cause of the problem. Can you take control of the creation of the salted password so that you own both creation of new users and authentication of users - this would ensure that you were in sync with how the salted password and hash were generated.