Page 1 of 1
How does the checkSecurePassword function and hashing work?
Posted: 26 Aug 2024, 06:37
by thinhtd21091
Code: Select all
function onUserLogin(evtParams) {
var connection = dbMan.getConnection();
var username = evtParams.getParameter(SFSEventParam.LOGIN_NAME);
var loginPass = evtParams.getParameter(SFSEventParam.LOGIN_PASSWORD);
var getByUserStmt = connection.prepareStatement("SELECT username, password FROM user WHERE username=?");
getByUserStmt.setString(1, username);
var result = getByUserStmt.executeQuery();
var session = evtParams.getParameter(SFSEventParam.SESSION);
if (result.next()) {
var dbPassword = result.getString("password");
trace(getApi().checkSecurePassword(session, dbPassword, loginPass))
} else {
trace("Username not found: " + username);
var insertStmt = connection.prepareStatement("INSERT INTO user (username, password) VALUES (?,?)");
insertStmt.setString(1, username);
insertStmt.setString(2, loginPass);
insertStmt.executeUpdate();
// var errData = new SFSErrorData(SFSErrorCode.LOGIN_BAD_USERNAME);
// errData.addParameter(username);
// throw new SFSLoginException('Username not found.', errData);
}
trace("Process Login.");
}
I have a check function like this, but the checkSecurePassword function always returns false. Please help me. Thanks bro
Re: How does the checkSecurePassword function and hashing work?
Posted: 26 Aug 2024, 09:08
by Lapo
Hi,
I would recommend to start from this example:
https://smartfoxserver.com/blog/custom- ... -database/If you really need to use JDBC and bypass the DBManager, fine as well but you need to handle the connection properly. The snippet you have posted will leak connections every time. You need to close the connection when you're done both under a success or failure (i.e. with exceptions)
If the password don't match something is wrong, either in the DB or the pass sent by the client.
Are passwords stored in the DB in plain text, or as hashes?
Thanks
Re: How does the checkSecurePassword function and hashing work?
Posted: 26 Aug 2024, 10:19
by thinhtd21091
My passwords in the database are hashed. When the client sends the password, I take the 'LOGIN_PASSWORD' parameter, which is already hashed by default, and then I store it in the database. However, when I retrieve it and use the 'checkSecurePassword' function, an error occurs. I don't understand why this is happening.
Re: How does the checkSecurePassword function and hashing work?
Posted: 26 Aug 2024, 14:10
by Lapo
When the client sends the password, I take the 'LOGIN_PASSWORD' parameter, which is already hashed by default, and then I store it in the database
That can be a problem. The password sent from the client is hashed with the current session token so, the next time you try to log in, the client is unable to recreate the same hash and it's going to fail.
There's two solutions:
1- make sure to use a system that hashes the password the same way every time (from both client and DB sides)
2- make use of the more secure SSL/TLS login and use hashing + salt on the database side.
Here's a detailed discussion of the two approaches:
https://smartfoxserver.com/blog/login-with-encryption/If anything is unclear let us know.
Re: How does the checkSecurePassword function and hashing work?
Posted: 27 Aug 2024, 03:43
by thinhtd21091
Thanks bro