Page 1 of 1
Possible bug in crypted password management
Posted: 23 Apr 2011, 14:23
by NebulaWare
Hi, i don't know if this is the right section, but i found something annoying on these 2 methods:
CryptoUtils.getClientPassword() and getApi().checkSecurePassword()
The returned hash from getClientPassword() is lowercase while the hash returned from the client using event.getParameters(SFSEventParam.LOGIN_PASSWORD) is uppercase
Nothing goes wrong if you use something like this
CryptoUtils.getClientPassword().equalsIgnoreCase("yourpassword")
But when checkSecurePassword() checks the 2 passwords it always returns false cause one is uppercase and the other is lowercase.
Posted: 23 Apr 2011, 15:47
by appels
yep, a know issue and fixed in the next release i think.
Posted: 23 Apr 2011, 15:47
by Lightnet
I think there a bug. I been trying to get the password working for couple of days. It work and it doesn't work. I did double check the code. To keep it simple.
From the client side send password "test".
server side code.
Code: Select all
String cryptedPass = (String) event.getParameter(SFSEventParam.LOGIN_PASSWORD);
ISession session = (ISession) event.getParameter(SFSEventParam.SESSION);
//...
String dpass1 = cryptedPass.toLowerCase();
System.out.print("cryptedPass:"+ dpass1+"\n");
System.out.print("CHECK:"+getApi().checkSecurePassword(session,"test", dpass1)+"\n");
String dpass = CryptoUtils.getClientPassword(session,"test");
System.out.print("cryptedPass2:"+ dpass+"\n");
System.out.print("CHECK2:"+getApi().checkSecurePassword(session,"test", dpass)+"\n");
Posted: 23 Apr 2011, 16:05
by appels
checkSecurePassword().toLower() should fix it.
Posted: 26 Apr 2011, 13:44
by Lapo
Yep, already discussed in another thread.
We'll improve it in the next update.
getClientPassword does not work
Posted: 22 May 2011, 12:43
by shaulbehr
I first saw this thread and thought it was solved - but now I see neither the OP (NebulaWare) nor another questioner (LightNet) has acknowledged that this has solved their respective problems. And I suspect it hasn't.
Please see my thread
here: I think the getClientPassword() method does not work at all.
Posted: 22 May 2011, 15:12
by Lapo
No, the solution is the one explained here.
It is just a problem with case matching. A part from that the system works perfectly.
Cheers
Posted: 22 May 2011, 15:23
by shaulbehr
Lapo wrote:No, the solution is the one explained here.
It is just a problem with case matching. A part from that the system works perfectly.
Hi Lapo,
Please can you visit
my question and answer on that thread as to why I cannot get a clear text password back from CryptoUtils.getClientPassword()?
Posted: 23 May 2011, 08:01
by Lapo
I've already explained that the password is hashed.
Hashing is a one way process which is not reversibile. This is the strength of the system otherwise it wouldn't be secure.
For more details:
http://www.smartfoxserver.com/docs/docP ... /index.htm
Posted: 23 May 2011, 12:10
by shaulbehr
OK, that's what I worked out now. The OP seemed to be under the impression that CryptoUtils.getClientPassword() will get you the password in clear text, and now you're clarifying that it does not; rather this is itself the hashing function, not a decrypting function.
This is a pity, because it means that I cannot use my own hashing function for saving passwords on my DB; rather I am forced to use encryption/decryption to get my users' passwords from the DB, and then use SFS's hashing functions to validate. One way or another you have to have a decrypting function somewhere, and frankly I'd rather I could decrypt the password from SFS than be forced to use SFS's hashing function...
Posted: 25 May 2011, 08:12
by Sigtran
@shaulbehr
yeah, I had the same problem with db having hashed passwords when i started, but the solution is to hash the password on the clientside, before you encrypt it and send over to the server side for validation. This way you can keep hashed passwords on the server side and not to worry about the case / etc, as the client will be sending to you the same thing.
e.g. user inputs the password --> client hashes it --> then request login (using the hashed password) --> server gets the hashed password from the DB & you can do checkSecurePassword() with no problems.