Simple Auth Problem [SOLVED]

Question

Simple Auth Problem [SOLVED]

Phillip Jackson Feb '14

Created Feb '14	Last Reply Mar '14	Replies 3	Views 1748	Votes 0

Phillip Jackson 17.8k

Feb '14

Let me preface this with saying, "I really feel stupid asking this question!" But I am stumped and would like some feed back on what the hell I am doing wrong. So here is my simple authentication method :

    public function startSessionAction()
    {

        if($this->request->isPost()){
            $data = $this->request;

            $username = $data->getPost('username');
            $password = $data->getPost('password');

            $user = Users::findFirstByUsername($username);

            if($user){

                if($this->security->checkHash($password, $user->password)){
                    $this->registerSession($user);
                    $this->persistent->name = $user->name;
                    $this->flashSession->success('Welcome ' . $this->persistent->name);
                    return $this->response->redirect('user/index');
                }
            }else{
                $this->flashSession->error("The username you provided is not in our system.");
                return $this->response->redirect('user/login');
            }

            $this->flashSession->error("Password does match our records for " . $user->username . " .");
        }

        return $this->response->redirect('user/login');

    }

Full controller can be viewed here : https://gist.github.com/unisys12/8941453

So, the problem I am having is that the password is failing to match. I feel the reason has something to do with the 'checkHash()' method, as outlined in the Security docs here(https://docs.phalcon.io/en/latest/reference/security.html#password-hashing) and the API here (https://docs.phalcon.io/en/latest/api/Phalcon_Security.html). The password was saved from a reg form and after assigning the password field to a var, that was then passed to method which, of course, created the hashed password stored in the database.

So. What very basic, fundamental thing am I over looking. I know I have a very bad habit of over thinking things, so... just need someone to bring me back down to earth.

le51 · Answer 1 · 2014-02-11T14:35:28-07:00

le51
43.9k

edited Feb '14
Feb '14

hi, di you use:

$user->password = $this->security->hash($password);

for encrypting user password ?

Phillip Jackson · Answer 2 · 2014-02-11T14:45:47-07:00

Yes... for clarity in how the password gets into the database, here is my createAction() from the UserController :

public function createAction()
    {

        if($this->request->isPost()){

            $request = $this->request;

            $name = $request->getPost('name');
            $email = $request->getPost('email');
            $username = $request->getPost('username');
            $password = $request->getPost('password');
            $password_confirm = $request->getPost('password_confirm');

            if($password != $password_confirm){
                $this->flashSession->error('Passwords do not match');
                return false;
            }

            $user = new Users();
            $user->name = $name;
            $user->email= $email;
            $user->username = $username;
            $user->password = $this->security->hash($password);
            $user->created_at = new Phalcon\Db\RawValue('now()');
            $user->updated_at = new Phalcon\Db\RawValue('now()');

            if($user->save() == false){
                foreach($user->getMessages() as $message){
                    $this->flashSession->error((string) $message);
                }
            } else {
                Tag::setDefault('username', $user->username);
                $msg = $this->flashSession->success('Thanks for singing up. Please log in to get started.');
                return $this->response->redirect('/blog-local/');
            }

        }

        $this->view->disable();

    }

mullermx · Answer 3 · 2014-02-11T21:04:02-07:00

mullermx
1.6k

Feb '14

I ended up doing md5(password), and that did the trick.

Phillip Jackson · Answer 4 · 2014-02-11T21:23:08-07:00

@mullermx - Although I am only doing this project for myself, it will be eventually be hosted. So having to use md5 is not going to cut it. I don't know C, but I can read. So it's about time I start digging in the core to see what is going on inside 'hash()' and 'checkHash'; I am not giving up and will keep this updated.

Phillip Jackson · Answer 5 · 2014-02-15T18:48:02-07:00

Figured out what the problem was. And yes, it was stupid. Well maybe not too stupid, but stupid enough. The problem was with the users table. When I created it, I accidently set the character limit for the password column to 50 and not 60, which is the minimum allowed for crypt passwords. DOH! Well, I guess one good thing came out of this: I have rewritten this authentication method so many times and in so many different ways... I have a far better understanding of the mechanics of an authentication system than ever before. Well, I will take my learning however I can get it.

izayoi · Answer 6 · 2014-03-08T20:06:48-07:00

Hahaha, the reason I can laugh at this is because the exact same thing happened to me -____- I understand the frustrations involved, but I decided to go with the new password hashing API in PHP5.5, and the recommended practice is to use a 255 char limit, so that in the event of bcrypt not being the default hashing function, the column would have enough space to accept pretty much any others.

Phillip Jackson · Answer 7 · 2014-03-08T20:47:16-07:00

For the record, this was the package I used - https://jeremykendall.net/2014/01/04/php-password-hashing-a-dead-simple-implementation buddy of mines project and wanted to check it out. Offers backwards compatibility and stuff. Give it a quick read.