I am using this tutorial http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL to secure access to my web page and I would like to modify it by reset password feature. Unfortunately my reset password addon store something which makes account not able to log in.
This code is performing user registration and works like a charm
$random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
// Create salted password
$password = hash('sha512', $password . $random_salt);
// Insert the new user into the database
if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password, salt) VALUES (?, ?, ?, ?)")) {
$insert_stmt->bind_param('ssss', $username, $email, $password, $random_salt);
// Execute the prepared query.
if (! $insert_stmt->execute()) {
header('Location: ../error.php?err=Registration failure: INSERT');
}
}
header('Location: ./register_success.php');
Login processing:
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
also works fine. (not my job :)) and now my part - random string generator followed by hashing
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$charactersLength = strlen($characters);
$randomString = '';
for ($i = 0; $i < 8; $i++) {
$randomString .= $characters[rand(0, $charactersLength - 1)];
}
$random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
// Create salted password
$password = hash('sha512', $randomString . $random_salt);
if ($insert_stmt = $mysqli->prepare("UPDATE members SET password = ?, salt=? WHERE username= ?")){
$insert_stmt->bind_param('sss', $password, $random_salt, $username);
$insert_stmt->execute();
$insert_stmt->close();
}
reset script successfully modify db for the user, store correct salt and correct hashed password. Tested by showing random text and salt on the screen and than combined here http://www.convertstring.com/cs/Hash/SHA512
Any advice how to track hash process or tips how to fix it would be appreciated.
I have a suspicion that there may be some trouble with JS which hash the password on client side
function formhash(form, password) {
// Create a new element input, this will be our hashed password field.
var p = document.createElement("input");
// Add the new element to our form.
form.appendChild(p);
p.name = "p";
p.type = "hidden";
p.value = hex_sha512(password.value);
// Make sure the plaintext password doesn't get sent.
password.value = "";
// Finally submit the form.
form.submit();
}
Thank you very much
