Jump to content

Recommended Posts

Not quite sure what you're asking, but passwords should only be stored in a database after encryption. You pull the password from the database, compare it to the password provided by the user, then let it go. Don't store it in $_SESSION or $_COOKIE or anywhere else.

To give you the details.

 

1 - get a user id and password from the user

2 - encrypt the password and save the userid and the encrypted password in the users table.

 

When checking a user's login attempt:

1 - get the user's id and password entries

2 - encrypt the password value the exact same way as you did when you stored it

3 - do a query on the table to get the record that matches both the user id and the encrypted password entry

4 - if the query returns exactly 1 record - the user logged in correctly. If not - send them back to login again.

 

As said by Maxxd - you don't return the password in the query, nor do you get it and save it anywhere. The password is not needed once you verify that it was provided correctly. If you need to remember that a user is logged in you create a token that indicates that to your application, such as a $_SESSION var or a cookie but in no way do you store sensitive information in either place.

A few responses are referring to "encryption" above. Hashing is not encryption, but it is routinely called that. Since you are specifically asking what hashing is, I think it is important to differentiate the two.

 

Encryption is used when you need to securely store a value which you will need in its original state in the future. For example, if you allow the user to store thier credit card number for the purpose of easy check outs in the future, you would need to encrypt it. Other data such as SSNs, birth dates and other PII data should be encrypted as well (assuming it shoudl even be something to be stored). With encryption, there is a key or some method to decrypt the value back to its original state.

 

Hashing is used to verify that some value is the same as some other previous value. hashes cannot be decrypted back to their original values. Two specific uses for hashes are for password and file verification. When a user creates a password, the hashes values should be stored - not the actual password. Then, when logging in, the user submits their password and the value will be hashed in the same manner in which is was when stored. Those hashed values are then compared to see if the user entered the correct password. Passwords should be hashed because people use the same passwords on different sites. If the database is compromised, the malicious user already has all the data. But, we want to prevent them from getting the original password. Hashes are also used for file verification. If an install file for some shareware app is made available for download from many sites, you want to be careful to ensure you are getting the "real" file and not one that has been modified with malicious code. The author may provide a hash value of their file. Then when you download the file from an alternative site you can run a hash on it to ensure it returns the same hash and has not been modified.

 

Hashing is also referred to one-way encryption because, ideally, you should not be able to decrypt it since it is used for comparing two value. But, you may hear about being able to decrypt hashes via rainbow tables. It is not really decrypting. A rainbow table is the process of generating hashes for MANY different values (typically a dictionary list). If I hash the word "password", it will be the same hash every time (assuming no additional processes are used). So, if a programmer just used a simple hashing method, I could create hashes for common words that are used as passwords and find the users that are using those words since they would have the same hash.

 

But, a hash should not be used on its own. When hashing a value a 'salt' should be used to ensure the hash is unique for that user/record. For example, if you were to concatenate the user's password and the timestamp of when they registered before hashing you would have to create a rainbow table specific for each user. The password_hash() function specified above has this built in.

  • Like 2
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.