Re: User, Encrypting Passwords and validating

You seem to be doing a lot of work fudging up the password, without any real gain. Your scheme could be simplified by just passing a random string to the user and storing that same random string in the database along with the username and password.

What you seem to be attempting is usually called ticket based authentication. The user provides a username and password, and if authenticated, you give them a ticket that will allow them back in without needing to enter their password again.

But you are missing a critical piece in order to make it secure. It is absolutely vital that the ticket can be expired at some point. Otherwise an attacker could sniff the ticket, or pull it from someones cookie file, and use it at any time in the future to gain access without a password.

- Cees

Comment on Re: User, Encrypting Passwords and validating

Replies are listed 'Best First'.
Re: Re: User, Encrypting Passwords and validating by Thathom (Acolyte) on Feb 07, 2004 at 18:24 UTC
Yeah good point actually. I guess im trying to never store the users password in either the file or in the cookie. Just trying to figure out now to do it, so if anyone hacks either the cookie or the file, they'll never end up getting the original password. Thanks! that's helped ThAtH0M	[reply]
Re: Re: Re: User, Encrypting Passwords and validating by cees (Curate) on Feb 07, 2004 at 18:48 UTC
I guess im trying to never store the users password in either the file or in the cookie. That is usually accomplished by only storing a one way hash of the password. This is how the Unix passwd/shadow file stores passwords. You can check to see if a supplied password is valid by hashing it again and comparing it against what is stored. `if (crypt($password, $storedpwd) ne $storedpwd) { die "Sorry...\n"; } else { print "ok\n"; }` [download] You mentioned that you don't want to use external modules, so I showed an example using the built in 'crypt' function (see 'perldoc -f crypt' for more info), but it would be more secure to use SHA1 or MD5 hashes. - Cees	[reply] [d/l]