How does the checkSecurePassword function and hashing work?

[thinhtd21091]

Code: Select all

function onUserLogin(evtParams) {
    var connection = dbMan.getConnection();
    var username = evtParams.getParameter(SFSEventParam.LOGIN_NAME);
    var loginPass = evtParams.getParameter(SFSEventParam.LOGIN_PASSWORD);
    var getByUserStmt = connection.prepareStatement("SELECT username, password FROM user WHERE username=?");
    getByUserStmt.setString(1, username);
    var result = getByUserStmt.executeQuery();
    var session = evtParams.getParameter(SFSEventParam.SESSION);


    if (result.next()) {
        var dbPassword = result.getString("password");
        trace(getApi().checkSecurePassword(session, dbPassword, loginPass))
    } else {
        trace("Username not found: " + username);
        var insertStmt = connection.prepareStatement("INSERT INTO user (username, password) VALUES (?,?)");
        insertStmt.setString(1, username);
        insertStmt.setString(2, loginPass);
        insertStmt.executeUpdate();

        // var errData = new SFSErrorData(SFSErrorCode.LOGIN_BAD_USERNAME);
        // errData.addParameter(username);
        // throw new SFSLoginException('Username not found.', errData);
    }

    trace("Process Login.");
}

I have a check function like this, but the checkSecurePassword function always returns false. Please help me. Thanks bro

[Lapo]

Hi,
I would recommend to start from this example:
https://smartfoxserver.com/blog/custom- ... -database/

If you really need to use JDBC and bypass the DBManager, fine as well but you need to handle the connection properly. The snippet you have posted will leak connections every time. You need to close the connection when you're done both under a success or failure (i.e. with exceptions)

If the password don't match something is wrong, either in the DB or the pass sent by the client.
Are passwords stored in the DB in plain text, or as hashes?

Thanks

[thinhtd21091]

My passwords in the database are hashed. When the client sends the password, I take the 'LOGIN_PASSWORD' parameter, which is already hashed by default, and then I store it in the database. However, when I retrieve it and use the 'checkSecurePassword' function, an error occurs. I don't understand why this is happening.

[Lapo]

When the client sends the password, I take the 'LOGIN_PASSWORD' parameter, which is already hashed by default, and then I store it in the database

That can be a problem. The password sent from the client is hashed with the current session token so, the next time you try to log in, the client is unable to recreate the same hash and it's going to fail.

There's two solutions:
1- make sure to use a system that hashes the password the same way every time (from both client and DB sides)
2- make use of the more secure SSL/TLS login and use hashing + salt on the database side.

Here's a detailed discussion of the two approaches:
https://smartfoxserver.com/blog/login-with-encryption/

If anything is unclear let us know.

[thinhtd21091]

Thanks bro