aboutsummaryrefslogtreecommitdiff
path: root/engine/lib
diff options
context:
space:
mode:
authormarcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544>2008-08-04 10:59:16 +0000
committermarcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544>2008-08-04 10:59:16 +0000
commitb4ee69ed8d1656c6b70ba74d4e9542caac9d55c1 (patch)
treefebb2c0dc84d3147ed97fb537ad7be03f50f2ef6 /engine/lib
parentceebe108fecc1083be435313c4c3f4fa284e7175 (diff)
downloadelgg-b4ee69ed8d1656c6b70ba74d4e9542caac9d55c1.tar.gz
elgg-b4ee69ed8d1656c6b70ba74d4e9542caac9d55c1.tar.bz2
Closes #193: Added salt field to database and new users will be generated with salted passwords.
Existing users remain unchanged and should still be able to log in. Requires a schema change and the following code run against the database: alter table elggusers_entity add column salt varchar(8) NOT NULL default '' after password; git-svn-id: https://code.elgg.org/elgg/trunk@1676 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'engine/lib')
-rw-r--r--engine/lib/sessions.php4
-rw-r--r--engine/lib/users.php26
2 files changed, 16 insertions, 14 deletions
diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php
index a47415d64..279beb107 100644
--- a/engine/lib/sessions.php
+++ b/engine/lib/sessions.php
@@ -80,7 +80,7 @@
// Let admins log in without validating their email, but normal users must have validated their email
if ((!$user->admin) && (!$user->validated_email))
return false;
-
+
if ($user->password == generate_user_password($user, $credentials['password'])) {
return true;
}
@@ -102,7 +102,7 @@
function login(ElggUser $user, $persistent = false) {
global $CONFIG;
-
+
$_SESSION['user'] = $user;
$_SESSION['guid'] = $user->getGUID();
$_SESSION['id'] = $_SESSION['guid'];
diff --git a/engine/lib/users.php b/engine/lib/users.php
index bbfaa4a1f..70879f9c0 100644
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -42,7 +42,8 @@
$this->attributes['type'] = "user";
$this->attributes['name'] = "";
$this->attributes['username'] = "";
- $this->attributes['password'] = "";
+ $this->attributes['password'] = "";
+ $this->attributes['salt'] = "";
$this->attributes['email'] = "";
$this->attributes['language'] = "";
$this->attributes['code'] = "";
@@ -157,7 +158,7 @@
return false;
// Now save specific stuff
- return create_user_entity($this->get('guid'), $this->get('name'), $this->get('username'), $this->get('password'), $this->get('email'), $this->get('language'), $this->get('code'));
+ return create_user_entity($this->get('guid'), $this->get('name'), $this->get('username'), $this->get('password'), $this->get('salt'), $this->get('email'), $this->get('language'), $this->get('code'));
}
/**
@@ -353,20 +354,20 @@
* @param string $description
* @param string $url
*/
- function create_user_entity($guid, $name, $username, $password, $email, $language, $code)
+ function create_user_entity($guid, $name, $username, $password, $salt, $email, $language, $code)
{
- global $CONFIG;
+ global $CONFIG;
- $guid = (int)$guid;
- $name = sanitise_string($name);
- $username = sanitise_string($username);
- $password = sanitise_string($password);
+ $guid = (int)$guid;
+ $name = sanitise_string($name);
+ $username = sanitise_string($username);
+ $password = sanitise_string($password);
+ $salt = sanitise_string($salt);
$email = sanitise_string($email);
$language = sanitise_string($language);
$code = sanitise_string($code);
$row = get_entity_as_row($guid);
-
if ($row)
{
// Exists and you have access to it
@@ -387,7 +388,7 @@
else
{
// Update failed, attempt an insert.
- $result = insert_data("INSERT into {$CONFIG->dbprefix}users_entity (guid, name, username, password, email, language, code) values ($guid, '$name', '$username', '$password', '$email', '$language', '$code')");
+ $result = insert_data("INSERT into {$CONFIG->dbprefix}users_entity (guid, name, username, password, salt, email, language, code) values ($guid, '$name', '$username', '$password', '$salt', '$email', '$language', '$code')");
if ($result!==false) {
$entity = get_entity($guid);
if (trigger_elgg_event('create',$entity->type,$entity)) {
@@ -960,7 +961,7 @@
*/
function generate_random_cleartext_password()
{
- return substr(md5(microtime()), 0, 8);
+ return substr(md5(microtime() . rand()), 0, 8);
}
/**
@@ -973,7 +974,7 @@
*/
function generate_user_password(ElggUser $user, $password)
{
- return md5($password);
+ return md5($password . $user->salt);
}
/**
@@ -1013,6 +1014,7 @@
$user->email = $email;
$user->name = $name;
$user->access_id = 2;
+ $user->salt = generate_random_cleartext_password(); // Note salt generated before password!
$user->password = generate_user_password($user, $password);
$user->save();