futuresight / futurebb

The forum system by FutureSight Technologies. A live sample can be seen at http://futuresight.org/forums
http://futurebb.futuresight.org
2 stars 2 forks source link

Login hashes #140

Closed jacob-g closed 8 years ago

jacob-g commented 9 years ago

Instead of just hashing the password, have a hash stored in the database that is updated periodically and require the cookie to contain that.

Also create a "sign out all other sessions" button that just updates the hash.

iggyvolz commented 8 years ago

Also - you should probably just use password_hash and password_verify rather than sha1 - see http://php.net/manual/en/faq.passwords.php#faq.passwords.fasthash. I can send in a PR if you'd like.

jacob-g commented 8 years ago

Since doing so would require a significant chunk of code to convert old passwords, I think it's better if I retrofit the code to use those libraries myself. However, thank you for your suggestion.