Jump to content

Compare cookie's pass hash against DB


inkredible

Recommended Posts

Posted

Hi,

I saw that IPS stores the "ips4_member_id" and "ips4_pass_hash" in the user's cookie. The value looks for my test account looks like this: 61f2a3256147800655e3d38df57db645 , however the members_pass_hash in the core_members table looks completely different (like this:  $2a$13$A5WevLFUT2VxECdDeK8AbOYjltYRg0.PvKuRTG3oi[...]E). I wonder how I can use the cookie value in order to make sure the user is valid (and not faking a cookie with a desired member_id)?

I noticed that everything before the dot stored in my member's pass hash is 1. The BlowFish crypt method and it's cost parameter and 2. the salt. However everything behind the key is completely different than the stored IPS4_pass_hash value though?

Posted

The software on the back end creates a password hash using Blowfish, and stores that in the database. However, for a user's cookie, it generates a separate, completely random and arbitrary value as a login key, which is stored in the cookie as "ips4_pass_hash". My guess is that the idea is that even if someone steals a person's cookie, it doesn't betray anything at all about their actual password.

Posted
17 minutes ago, Linguica said:

The software on the back end creates a password hash using Blowfish, and stores that in the database. However, for a user's cookie, it generates a separate, completely random and arbitrary value as a login key, which is stored in the cookie as "ips4_pass_hash". My guess is that the idea is that even if someone steals a person's cookie, it doesn't betray anything at all about their actual password.

Would that mean that I can't use the cookie pass_hash in order to authenticate the user serversided in an external application? Instead I could use the session_id and check it if it matches for the provided member_id but I would be happy to get an expert oppinion about this.

Posted
7 minutes ago, Ryan Ashbrook said:

If you are looking to authenticate against IPS4, then I would recommend using IPS Connect - it will allow you to do all of that.

This may also be helpful:

 

I read that and the documentation says: "  It is also possible to load the values stored in the user's cookies (if any) and validate them against the framework directly " and this is exactly what I am asking here for. My external application is hosted on a different server and is not written in PHP. I am connunicating with the server via websockets and therefore I would like to send the cookie.

So what information does help me in the cookie? I assumed that I need to check the IPS4_pass_hash and compare it with the members_pass_hash for the specified member_id

Posted

As Ryan said, there are alternative approaches to validating a member that are more robust, but to answer your question - the pass_hash cookies correlates to the member_login_key value for a member account. Note that this value can be updated regularly (at which time the cookie is updated) and as has been mentioned, it is an arbitrary random md5 string and not something that can be calculated.

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...