diff options
author | marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2008-08-04 10:59:16 +0000 |
---|---|---|
committer | marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2008-08-04 10:59:16 +0000 |
commit | b4ee69ed8d1656c6b70ba74d4e9542caac9d55c1 (patch) | |
tree | febb2c0dc84d3147ed97fb537ad7be03f50f2ef6 /engine/lib | |
parent | ceebe108fecc1083be435313c4c3f4fa284e7175 (diff) | |
download | elgg-b4ee69ed8d1656c6b70ba74d4e9542caac9d55c1.tar.gz elgg-b4ee69ed8d1656c6b70ba74d4e9542caac9d55c1.tar.bz2 |
Closes #193: Added salt field to database and new users will be generated with salted passwords.
Existing users remain unchanged and should still be able to log in.
Requires a schema change and the following code run against the database:
alter table elggusers_entity add column salt varchar(8) NOT NULL default '' after password;
git-svn-id: https://code.elgg.org/elgg/trunk@1676 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'engine/lib')
-rw-r--r-- | engine/lib/sessions.php | 4 | ||||
-rw-r--r-- | engine/lib/users.php | 26 |
2 files changed, 16 insertions, 14 deletions
diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php index a47415d64..279beb107 100644 --- a/engine/lib/sessions.php +++ b/engine/lib/sessions.php @@ -80,7 +80,7 @@ // Let admins log in without validating their email, but normal users must have validated their email if ((!$user->admin) && (!$user->validated_email)) return false; - + if ($user->password == generate_user_password($user, $credentials['password'])) { return true; } @@ -102,7 +102,7 @@ function login(ElggUser $user, $persistent = false) {
global $CONFIG;
-
+
$_SESSION['user'] = $user;
$_SESSION['guid'] = $user->getGUID();
$_SESSION['id'] = $_SESSION['guid'];
diff --git a/engine/lib/users.php b/engine/lib/users.php index bbfaa4a1f..70879f9c0 100644 --- a/engine/lib/users.php +++ b/engine/lib/users.php @@ -42,7 +42,8 @@ $this->attributes['type'] = "user";
$this->attributes['name'] = "";
$this->attributes['username'] = "";
- $this->attributes['password'] = "";
+ $this->attributes['password'] = ""; + $this->attributes['salt'] = "";
$this->attributes['email'] = "";
$this->attributes['language'] = "";
$this->attributes['code'] = "";
@@ -157,7 +158,7 @@ return false;
// Now save specific stuff
- return create_user_entity($this->get('guid'), $this->get('name'), $this->get('username'), $this->get('password'), $this->get('email'), $this->get('language'), $this->get('code')); + return create_user_entity($this->get('guid'), $this->get('name'), $this->get('username'), $this->get('password'), $this->get('salt'), $this->get('email'), $this->get('language'), $this->get('code')); }
/**
@@ -353,20 +354,20 @@ * @param string $description
* @param string $url
*/
- function create_user_entity($guid, $name, $username, $password, $email, $language, $code)
+ function create_user_entity($guid, $name, $username, $password, $salt, $email, $language, $code)
{
- global $CONFIG;
+ global $CONFIG; - $guid = (int)$guid;
- $name = sanitise_string($name);
- $username = sanitise_string($username);
- $password = sanitise_string($password);
+ $guid = (int)$guid;
+ $name = sanitise_string($name);
+ $username = sanitise_string($username);
+ $password = sanitise_string($password); + $salt = sanitise_string($salt);
$email = sanitise_string($email);
$language = sanitise_string($language);
$code = sanitise_string($code);
$row = get_entity_as_row($guid);
-
if ($row)
{
// Exists and you have access to it @@ -387,7 +388,7 @@ else { // Update failed, attempt an insert. - $result = insert_data("INSERT into {$CONFIG->dbprefix}users_entity (guid, name, username, password, email, language, code) values ($guid, '$name', '$username', '$password', '$email', '$language', '$code')"); + $result = insert_data("INSERT into {$CONFIG->dbprefix}users_entity (guid, name, username, password, salt, email, language, code) values ($guid, '$name', '$username', '$password', '$salt', '$email', '$language', '$code')"); if ($result!==false) { $entity = get_entity($guid); if (trigger_elgg_event('create',$entity->type,$entity)) { @@ -960,7 +961,7 @@ */ function generate_random_cleartext_password() { - return substr(md5(microtime()), 0, 8); + return substr(md5(microtime() . rand()), 0, 8); } /** @@ -973,7 +974,7 @@ */ function generate_user_password(ElggUser $user, $password) { - return md5($password); + return md5($password . $user->salt); } /**
@@ -1013,6 +1014,7 @@ $user->email = $email;
$user->name = $name;
$user->access_id = 2; + $user->salt = generate_random_cleartext_password(); // Note salt generated before password! $user->password = generate_user_password($user, $password);
$user->save();
|