close ad
WARNING PC USERS: Do Not Install the DREAMWEAVER CC 2017 Update »
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Authenticating with encrypted password

Thread began 2/23/2015 7:55 pm by kelly1398725 | Last modified 7/19/2016 1:02 pm by Ray Borduin | 1410 views | 14 replies |

kelly1398725

Authenticating with encrypted password

Hi,
I am using the log in user to authenticate users comparing username with password.
Password is encrypted with SHA1. How can I use log in user to verify the user's password by encrypting it again and comparing the two encrypted versions.

Thank you for any pointers.

Sign in to reply to this post

Jason ByrnesWebAssist

in the login behavior, when you select the password for element, the code for the value will look like:

<?php echo ((isset($_POST["password2"]))?$_POST["password2"]:""); ?>

edit that code to add the sha1() function:

<?php echo ((isset($_POST["password2"]))?sha1($_POST["password2"]):""); ?>

Sign in to reply to this post

kelly1398725

Thanks Jason. Very useful extension. Simple and clean codes.

Sign in to reply to this post

Jason ByrnesWebAssist

you're welcome.

Sign in to reply to this post

davidtricker376400

I'm confused, I'm trying to use the password_verify() function in PHP. When I add it to the line

$Authenticate->addFilter("password", "=", "s", "".((isset($_POST["password"]))?password_verify($_POST["password"]):"") ."");

at the top of my login page it doesn't allow anyone to login.

Where would I need to add <?php echo ((isset($_POST["password2"]))?password_verify($_POST["password2"]):""); ?> as in your example to get this to work?

My passwords are being stored successfully using

$spw = ((isset($_POST["password"]))?$_POST["password"]:"");
$storePW = password_hash($spw, PASSWORD_BCRYPT, array('cost' => 10));

I'm just having difficulty authenticating them.

Thanks

Sign in to reply to this post

Ray BorduinWebAssist

I think you would use:

<?php echo ((isset($_POST["password2"]))?password_hash($_POST["password2"], PASSWORD_BCRYPT, array('cost' => 10)):""); ?>

Sign in to reply to this post

davidtricker376400

Thanks Ray but that doesn't work. I've added several users to the test database with the same password and they are all stored differently in the database, this makes me think a different salt is being used every time, so this would return false as the password hashes would be different. Looking at the interweb there is a process for checking the hashed password against the form input using password_verify().

That would entail pulling the password from the db using the username and storing it in a string and then comparing it to the input password e.g.

$storedpassword = "some value from database";
$inputpassword = ((isset($_POST["password"]))?$_POST["password"]:"") ;

if (password_verify($inputpassword, $storedpassword) {
code if valid
} else {
code if not valid
}

I've tried to integrate this into the $authenticate function from webassist, but I keep on breaking it. Any help would be appreciated.

Thanks.

Sign in to reply to this post

Ray BorduinWebAssist

You could use that code to set a session variable and then use the session variable as the trigger for the MySQLi authenticate.

So:
1) Create a recordset filtered by the entered email address
2) Then use your code to validate the password returned with this code:

$storedpassword = $yourRecordset->getColumnVal('paswordColumn');
$inputpassword = ((isset($_POST["password"]))?$_POST["password"]:"") ;
@session_start();
if (password_verify($inputpassword, $storedpassword) {
$_SESSION['auth_trigger'] = "passed";
} else {
$_SESSION['auth_trigger'] = "";
}


3) then set your MySQLi login trigger to: $_SESSION['auth_trigger'], only use the email address for the login filter.

Sign in to reply to this post

davidtricker376400

Thanks Ray, that has been most useful, so just to be clear, this:

if (isset($_POST["submit"]) || isset($_POST["submit_x"])) {
$Authenticate = new WA_MySQLi_Auth($db);
$Authenticate->Action = "authenticate";
$Authenticate->Name = "Login";
$Authenticate->Table = "admins";
$Authenticate->addFilter("username", "=", "s", "".((isset($_POST["username"]))?$_POST["username"]:"") ."");
$Authenticate->addFilter("password", "=", "s", "".((isset($_POST["password"]))?$_POST["password"]:"") ."");
$Authenticate->storeResult("username", "userName");
$Authenticate->storeResult("superuser", "superUser");
$Authenticate->AutoReturn = false;
$SuccessRedirect = "/success/";
$FailedRedirect = "/failed/";
if (function_exists("rel2abs")) $SuccessRedirect = $SuccessRedirect?rel2abs($SuccessRedirect,dirname(__FILE__)):"";
if (function_exists("rel2abs")) $FailedRedirect = $FailedRedirect?rel2abs($FailedRedirect,dirname(__FILE__)):"";
$Authenticate->SuccessRedirect = $SuccessRedirect;
$Authenticate->FailRedirect = $FailedRedirect;
$Authenticate->execute();
}

would then become:

if (isset($_SESSION['auth_trigger']) && ($_SESSION['auth_trigger'] = "passed")) {
$Authenticate = new WA_MySQLi_Auth($db);
$Authenticate->Action = "authenticate";
$Authenticate->Name = "Login";
$Authenticate->Table = "admins";
$Authenticate->addFilter("username", "=", "s", "".((isset($_POST["username"]))?$_POST["username"]:"") ."");

$Authenticate->storeResult("username", "userName");
$Authenticate->storeResult("superuser", "superUser");
$Authenticate->AutoReturn = false;
$SuccessRedirect = "/success/";
$FailedRedirect = "/failed/";
if (function_exists("rel2abs")) $SuccessRedirect = $SuccessRedirect?rel2abs($SuccessRedirect,dirname(__FILE__)):"";
if (function_exists("rel2abs")) $FailedRedirect = $FailedRedirect?rel2abs($FailedRedirect,dirname(__FILE__)):"";
$Authenticate->SuccessRedirect = $SuccessRedirect;
$Authenticate->FailRedirect = $FailedRedirect;
$Authenticate->execute();
}

Hopefully this will help some others in adding hashed and salted passwords to webassist's login functionality.

Sign in to reply to this post

Ray BorduinWebAssist

Yes I think that would do the trick... remove the blank line or it might not be picked up by the server behavior inspector.

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...