Hi, i don't know if this is the right section, but i found something annoying on these 2 methods:
CryptoUtils.getClientPassword() and getApi().checkSecurePassword()
The returned hash from getClientPassword() is lowercase while the hash returned from the client using event.getParameters(SFSEventParam.LOGIN_PASSWORD) is uppercase
Nothing goes wrong if you use something like this
CryptoUtils.getClientPassword().equalsIgnoreCase("yourpassword")
But when checkSecurePassword() checks the 2 passwords it always returns false cause one is uppercase and the other is lowercase.
Possible bug in crypted password management
-
NebulaWare
- Posts: 13
- Joined: 02 Apr 2011, 12:33
I think there a bug. I been trying to get the password working for couple of days. It work and it doesn't work. I did double check the code. To keep it simple.
From the client side send password "test".
server side code.
From the client side send password "test".
server side code.
Code: Select all
String cryptedPass = (String) event.getParameter(SFSEventParam.LOGIN_PASSWORD);
ISession session = (ISession) event.getParameter(SFSEventParam.SESSION);
//...
String dpass1 = cryptedPass.toLowerCase();
System.out.print("cryptedPass:"+ dpass1+"\n");
System.out.print("CHECK:"+getApi().checkSecurePassword(session,"test", dpass1)+"\n");
String dpass = CryptoUtils.getClientPassword(session,"test");
System.out.print("cryptedPass2:"+ dpass+"\n");
System.out.print("CHECK2:"+getApi().checkSecurePassword(session,"test", dpass)+"\n");
getClientPassword does not work
I first saw this thread and thought it was solved - but now I see neither the OP (NebulaWare) nor another questioner (LightNet) has acknowledged that this has solved their respective problems. And I suspect it hasn't.
Please see my thread here: I think the getClientPassword() method does not work at all.
Please see my thread here: I think the getClientPassword() method does not work at all.
Hi Lapo,Lapo wrote:No, the solution is the one explained here.
It is just a problem with case matching. A part from that the system works perfectly.
Please can you visit my question and answer on that thread as to why I cannot get a clear text password back from CryptoUtils.getClientPassword()?
I've already explained that the password is hashed.
Hashing is a one way process which is not reversibile. This is the strength of the system otherwise it wouldn't be secure.
For more details:
http://www.smartfoxserver.com/docs/docP ... /index.htm
Hashing is a one way process which is not reversibile. This is the strength of the system otherwise it wouldn't be secure.
For more details:
http://www.smartfoxserver.com/docs/docP ... /index.htm
OK, that's what I worked out now. The OP seemed to be under the impression that CryptoUtils.getClientPassword() will get you the password in clear text, and now you're clarifying that it does not; rather this is itself the hashing function, not a decrypting function.Lapo wrote:I've already explained that the password is hashed.
Hashing is a one way process which is not reversibile. This is the strength of the system otherwise it wouldn't be secure.
For more details:
http://www.smartfoxserver.com/docs/docP ... /index.htm
This is a pity, because it means that I cannot use my own hashing function for saving passwords on my DB; rather I am forced to use encryption/decryption to get my users' passwords from the DB, and then use SFS's hashing functions to validate. One way or another you have to have a decrypting function somewhere, and frankly I'd rather I could decrypt the password from SFS than be forced to use SFS's hashing function...
@shaulbehr
yeah, I had the same problem with db having hashed passwords when i started, but the solution is to hash the password on the clientside, before you encrypt it and send over to the server side for validation. This way you can keep hashed passwords on the server side and not to worry about the case / etc, as the client will be sending to you the same thing.
e.g. user inputs the password --> client hashes it --> then request login (using the hashed password) --> server gets the hashed password from the DB & you can do checkSecurePassword() with no problems.
yeah, I had the same problem with db having hashed passwords when i started, but the solution is to hash the password on the clientside, before you encrypt it and send over to the server side for validation. This way you can keep hashed passwords on the server side and not to worry about the case / etc, as the client will be sending to you the same thing.
e.g. user inputs the password --> client hashes it --> then request login (using the hashed password) --> server gets the hashed password from the DB & you can do checkSecurePassword() with no problems.