benedmunds / CodeIgniter-Ion-Auth

Simple and Lightweight Auth System for CodeIgniter
http://benedmunds.com/ion_auth/
MIT License
2.34k stars 1.14k forks source link

When using bcrypt, password changes to 0 #566

Closed discern closed 10 years ago

discern commented 10 years ago

It works fine on my local machine, but on the remote dev server, the password changes to 0 when using bcrypt. Changing the config to use SHA1 works. Password column is varchar 255. Any idea what might be causing this?

benedmunds commented 10 years ago

What version of php are you running local and what version on the remote?

-Ben Edmunds

On Apr 2, 2014, at 10:42 AM, Discern notifications@github.com wrote:

It works fine on my local machine, but on the remote dev server, the password changes to 0 when using bcrypt. Changing the config to use SHA1 works. Password column is varchar 255. Any idea what might be causing this?

Reply to this email directly or view it on GitHubhttps://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/566 .

discern commented 10 years ago

Local is 5.3.28, Remote is 5.3.5.

benedmunds commented 10 years ago

Compare phpinfo() on each and see if maybe OpenSSL is compiled on local but not remote.

-Ben Edmunds

On Apr 2, 2014, at 1:30 PM, Discern notifications@github.com wrote:

Local is 5.3.28, Remote is 5.3.5.

Reply to this email directly or view it on GitHubhttps://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/566#issuecomment-39379544 .

discern commented 10 years ago

OpenSSL 0.9.8b on remote, 0.9.8y on local.

benedmunds commented 10 years ago

Weird.

Add a var_dump to the bcrypted value in ion_auth_models.php hash_password() method.

-Ben Edmunds

On Apr 3, 2014, at 6:59 AM, Discern notifications@github.com wrote:

OpenSSL 0.9.8b on remote, 0.9.8y on local.

Reply to this email directly or view it on GitHubhttps://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/566#issuecomment-39454001 .

jaysheth commented 10 years ago

Hi benedmunds,

I have similar issue please help.

Thank you.

benedmunds commented 10 years ago

Follow the same steps outlined above and let me know

jaysheth commented 10 years ago

my var_dump output is :

object(Bcrypt)#21 (2) { ["rounds":"Bcrypt":private]=> int(8) ["randomState":"Bcrypt":private]=> NULL }

benedmunds commented 10 years ago

It looks like BCrypt couldn't find a sufficient source of random.

Make sure you have OpenSSL installed on your server and compiled in PHP.

-Ben Edmunds

On May 1, 2014, at 12:13 AM, jaysheth notifications@github.com wrote:

my var_dump output is :

object(Bcrypt)#21https://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/21(2) { ["rounds":"Bcrypt":private]=> int(8) ["randomState":"Bcrypt":private]=> NULL }

— Reply to this email directly or view it on GitHubhttps://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/566#issuecomment-41886612 .

sidewaysgravity commented 10 years ago

I will add to this thread. I am having the same issue. Whats weird is I have an older version of ion_auth and the bcrypt works fine, but on the newer version it does not. Both on the same server. I will keep trouble shooting this to see if I can track down what the difference is.

sidewaysgravity commented 10 years ago

Made some progress on this. The commit 8dbfd489 changed the prefix for hashing from '$2a$' to '$2y$'. In my code reverting the prefix back fixes the password set to 0 issue. I am looking into the prefix and what they mean but Ben you might be able to shed some light on why it was changed in to the new prefix.

sidewaysgravity commented 10 years ago

Okay, looks like it is a php version issue. From the documentation on php crypt.

"Versions of PHP before 5.3.7 only support "$2a$" as the salt prefix:" http://docs.php.net/manual/en/function.crypt.php

If you are running a version before 5.3.7 then you will need to change the value in the 'getSalt' function inside the Bcrypt.php file in the libraries folder. You just have to change the 'y' to an 'a' on the third character of the string. My previous comment had the commit sha for the change if you are unsure what I am talking about.

@benedmunds I assume the change to '$2y$' was to address the security vulnerability as stated in the document? In that case I am not sure it should be changed out. I wonder if it would be worth it to try and parse the version of PHP in the Bcrypt file and use the appropriate prefix?

sidewaysgravity commented 10 years ago

Or maybe move the salt prefix to the config file with a comment to change it if running on pre 5.3.7?

benedmunds commented 10 years ago

Yea that makes sense. Can you send a PR moving this to the config?

-Ben Edmunds

On May 25, 2014, at 4:07 PM, sidewaysgravity notifications@github.com wrote:

Or maybe move the salt prefix to the config file with a comment to change it if running on pre 5.3.7?

— Reply to this email directly or view it on GitHub.

sidewaysgravity commented 10 years ago

Sure. Just wanted to see your thoughts before doing it.

benedmunds commented 10 years ago

Awesome, thanks

-Ben Edmunds

On May 25, 2014, at 5:05 PM, sidewaysgravity notifications@github.com wrote:

Sure. Just wanted to see your thoughts before doing it.

— Reply to this email directly or view it on GitHub.

sidewaysgravity commented 10 years ago

@benedmunds I believe this issue can be closed now.

benedmunds commented 10 years ago

Thanks