ngiddings
commented
9 years ago Hashes have been changed in the patches applied to the authentication branch. Session IDs are now generated by the double SHA256 hash of the user's password.
Closed ngiddings closed 9 years ago
ngiddings
commented
9 years ago Hashes have been changed in the patches applied to the authentication branch. Session IDs are now generated by the double SHA256 hash of the user's password.
ngiddings
commented
9 years ago On second thought, we should close this so it's more clear what needs done.
The entire authentication system is flawed, but for completeness I am going to point out this shortcoming.
In session.php, the function to generate an authenticated session calculates a hash on the user's email to get a session id. The hash is defined as the following:
sha1( md5( $user ))
The SHA1 hash is deprecated, and not secure enough for continued use. Modern cryptoanalysis of it show that it has become deprecated and should not be in use. MD5 faces the same issue. It was first published in the 90s, and collisions can be generated within a second on a modern computer.
We should be using, in my opinion, SHA256 as the hash algorithm for any cryptography purpose in this application. At this time we can safely assume it to be a secure hash for our purpose.