0

I am using UserCake and ran into an issue. For some reason the generateHash() function is no longer working consistently. Here's what I'm looking at:

funcs.php <-- Where the function is held

function generateHash($plainText, $salt = null) {
    if ($salt === null) {
        $salt = substr(md5(uniqid(rand(), true)), 0, 25);
    } else {
        $salt = substr($salt, 0, 25);
    }

    return $salt . sha1($salt . $plainText);
}

class.newuser.php <-- where the function is called to create the password

//Construct a secure hash for the plain text password
$secure_pass = generateHash($this->clean_password);

login.php <-- where the function is called to compare the passwords

//Hash the password and use the salt from the database to compare the password.
$entered_pass = generateHash($password,$userdetails["password"]);

if($entered_pass != $userdetails["password"]) {
    $errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID");
} else {
    //Passwords match! we're good to go'
}

I can successfully create a new account. But when I go to log in the hash password created by login.php is different than the one created by the new user class. For example, when I log in I put print_r on both the entered hash pw, and the hash pw in the database and here's what comes back:

$entered_pass = 62b8ce100193434601929323a13a4d95bd3c6535b014e6444516af13f605f36f7
database pass = 62b8ce100193434601929323a153564aaeb4ad75d57b353ee8918cd9829cb5e1b

The only thing I can think of is that the hashed password starts to deviate on the 26th character, and the $salt looks to have something with 25 going on (assuming thats the max length?). All of this is stock UserCake stuff so I don't understand why it is being so inconsistant.

I will note, if I copy the hashed $entered_pass (first one there) and paste it into the database, I will successfully log in.

EDIT >>>

After looking at it some more, I think the problem comes down to sha1($salt . $plainText);. It looks as though after the first $salt is where things begin to differ. Also When I remove the sha1() function it logs in perfectly, I just wonder if that has any major impact on security.

CoconuttMonkey
  • 3
  • 4

1 Answers1

0

I had this same issue. After some research I found that using the password_hash() function was more up to date.

I changed the $secure_pass var in class.newuser.php to this...

        //Construct a secure hash for the plain text password
        $secure_pass = password_hash("$this->clean_password", PASSWORD_DEFAULT);

class.user.php

    //Update a users password
public function updatePassword($pass)
{
    global $mysqli,$db_table_prefix;
    $secure_pass = password_hash("$pass", PASSWORD_DEFAULT);
    $this->hash_pw = $secure_pass;
    $stmt = $mysqli->prepare("UPDATE ".$db_table_prefix."users
        SET
        password = ? 
        WHERE
        id = ?");
    $stmt->bind_param("si", $secure_pass, $this->user_id);
    $stmt->execute();
    $stmt->close(); 
}

login.php

                // Use built in PHP password hashing
            if (!password_verify($password, $userdetails["password"])) {
                // Login Error Attempt Handler
                login_attm_hand();
                //Again, we know the password is at fault here, but lets not give away the combination incase of someone bruteforcing
                $errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID");
            }

I think that is everything I had to update on my site. If you have any errors let me know and I can try and help.

David Sargent
  • 15
  • 5