joejac
Posts: 242
|
| Posted: 03/08/2009, 6:44 PM |
|
Hello,
I am using CCS 4.2 PHP5, MySQL5, Vista Home Premium
I had a non encrypted password field, and I followed the tip from here:
http://forums.yessoftware.com/posts.php?post_id=98301
1.- UPDATE users SET user_password=PASSWORD(user_password);
2.- In Project Settings-Advanced Security Setting y checked:
Encrypt passwords using
*Database Function: PASSWORD
And I always get the error: "Login or Password is incorrect."
I unchecked "Encrypt passwords using" then I entered in phpMyAdmin and overwrited one user password and I was able to successfully enter into the application without "password encryption".
Can somebody help me to find what am I doing wrong with the encryption?
Thanks a lot in advance
Regards
joejac
|
 |
|
hector
Posts: 16
|
| Posted: 03/08/2009, 10:24 PM |
|
Joejac,
I am using MD5 one way hash for protecting the user's password.
If you want to try:
1.-Go to Project/Settings/Security the press "Advanced" Button.
2.-Check "Encrypt Password Using", then "Database Function" MD5 without quotes nor parenthesis.
3.-Now we can regenerate and deploy the code, Code Charge will automatically modify the CCLoginUser (included in Common.php) to use MD5.
From now on we have to store the MD5 hash of the password instead of the password itself.
4.-So we need to update the passwords in the Database. IT IS A ONE TIME PROCESS. Example UPDATE users_table as user SET user.password = md5(user.password) WHERE user.username = "myname";
In the case of MD5, be careful with the length of the storage of the "password" field, it must be 32 characters long. It could be longer but it is not necessary because MD5 produce a 128 bit hash = 32 Bytes. No matter how long the original password is MD5 produce 128 bits.
Now you can test your login. It should work.
The other side of the problem is letting the user change the password.
In the change password form, besides the password field, we need to create a ShadowPassword field that is better to keep hidden. Then in the BeforeShow event we put the Action "Preserve Password" and in the BeforeExecuteUpdate event we use the action "Encrypt Password".
In both "Preserve Password" and "Encrypt Password" we have to complete the "Password Control Name" and "Shadow Control Name". Try it works.
The "Preserve password" action move the password from the selected "Password Control Name" to the "Shadow Control Name". The "Encrypt Password" does the opposite.
Hope it helps.
Regards.
Héctor.
PD: Is possible to upload images to the forum?
|
|
|
|
joejac
Posts: 242
|
| Posted: 03/09/2009, 8:13 AM |
|
Thanks a lot Héctor.
I will also create a ticket to support to see why the Database Function: PASSWORD is not working for me.
I do not think it is possible to upload images to the forum.
Best regards
joejac
|
|
|
|
hector
Posts: 16
|
| Posted: 03/09/2009, 9:46 AM |
|
Quote joejac:
Thanks a lot Héctor.
I will also create a ticket to support to see why the Database Function: PASSWORD is not working for me.
I do not think it is possible to upload images to the forum.
Best regards
joejac
I understand that PASSWORD functions works the same way as MD5, besides the strengths of each algorithm the difference is the size of the hash. It is 41 bytes long for PASSWORD, 16 bytes of MD5 and 20 bytes of SHA1. All them are one way hash functions.
Regards.
Hector.
|
|
|
|
joejac
Posts: 242
|
| Posted: 03/29/2009, 8:35 AM |
|
Hello,
Please be aware that for "Encrypt passwords using" Database Function "PASSWORD" the length of the password field has to have a minimum of 50 characters long: varchar(50), no less.
Best regards
joejac
|
|
|
|
|
 |
|
|
|
