search

cwhite92 / Plymouth-Entrepreneurs-Society

Networking website for the Plymouth Entrepreneurs Society
http://www.withaspark.co.uk/
0 stars 1 forks source link

activated account wont login #4

Closed JakeChampion closed 11 years ago

JakeChampion commented 11 years ago

I created an account and activated it via email (sweet feature!) tried to login with said account and it says the password is wrong, password is my last name and was copy pasted into the input box.

JakeChampion commented 11 years ago

Lines 54 and 85 of User.php in Model are where I think the error is occuring

line 54 $check = Security::hash($data['currentPassword'], 'blowfish', $storedPassword['User']['password']);
line 85 $this->data[$this->alias]['password'] = Security::hash($this->data[$this->alias]['password'], 'blowfish');

According to the docs for cakePHP 

hash($string, $type = NULL, $salt = false)

so line 85 hashes the password with blowfish and uses no salt and the check on line 54 hashes the entered password with blowfish AND the user's password as a salt.

cwhite92 commented 11 years ago

The bcrypt salt is generated at time of hashing by the hash() function, and results in something like $2a$10$9nLSM4Bucq....

The 2a part between the $ is the salt (iirc) and the next bit is the cost (so the hashing function will iterate 10 times). When authing the user, you have to pass the stored password in as a salt and the hash() function will automatically use the correct salt from the hashed password. See [http://book.cakephp.org/2.0/en/core-utility-libraries/security.html](this page) for more info. Scroll down to Security::hash:

When comparing values hashed with bcrypt, the original hash should be provided as the $salt parameter. This allows bcrypt to reuse the same cost and salt values, allowing the generated hash to end up with the same resulting hash given the same input value.

JakeChampion commented 11 years ago

okay, I don't see how that would mean my correct password is evaluated and incorrect thought. Does logging in work on your comp?

cwhite92 commented 11 years ago

Hm, I thought it did but apparently not. I'll take a look at this soon.

cwhite92 commented 11 years ago

Fixed it. The problem was where the users password hash would change after following the activation link, because Cake retrieves the passwords as "*****" for security, so every users password was getting changed to that upon activation. I missed it because I was manually setting activated to 1 through phpMyAdmin.

JakeChampion commented 11 years ago

Bloody genius, I actually had no idea what on earth was going on, I enabled text view in the password fields to make sure the textbox wasn't tainting the input. Never thought about the activation link changing it.