Password and session management within AppGini

Please report bugs and any annoyances here. Kindly include all possible details: steps to reproduce, expected result, actual result, screenshots, ... etc.
Post Reply
Phil Massyn
Posts: 11
Joined: 2018-01-04 18:36

Password and session management within AppGini

Post by Phil Massyn » 2018-01-28 12:28

I was hoping this would be fixed in 5.70. Please stop using MD5 as the hashing algorithm for passwords. There are much better function that can (and should) be used instead.

http://php.net/manual/en/faq.passwords.php

The "Remember Me" function uses a poorly designed mechanism of hashing both the username and password together, meaning that the remember me function will always use the same cookie for that user. All an attacker needs to do, is get a hold of one such session, and he can gain access to the user's session. It will only change if the user decides to change their password.

Please do not use the password for anything other than what it is intended for - to simply authenticate the user when signon. It should not be used in the remember me function, or even be passed to a hook.

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 190
Joined: 2013-03-21 04:37

Re: Password and session management within AppGini

Post by peebee » 2018-01-31 04:48

Agreed. MD5 will no longer pass penetration testing and should be replaced.

User avatar
a.gneady
Site Admin
Posts: 938
Joined: 2012-09-27 14:46
Contact:

Re: Password and session management within AppGini

Post by a.gneady » 2018-02-08 12:35

We plan to enhance password storage security and session management in AppGini 5.71. Stay tuned!
AppGini: Responsive, collaborative web db apps in minutes.
:idea: Learn all the tips and tricks of customizing AppGini apps through our online course.

joebloogs
Posts: 13
Joined: 2013-04-17 13:17
Location: Perth

Re: Password and session management within AppGini

Post by joebloogs » 2018-10-30 06:37

a.gneady wrote:
2018-02-08 12:35
We plan to enhance password storage security and session management in AppGini 5.71. Stay tuned!
Just wondering did this security issue get resolved, I can't see the note in the changelog.

User avatar
a.gneady
Site Admin
Posts: 938
Joined: 2012-09-27 14:46
Contact:

Re: Password and session management within AppGini

Post by a.gneady » 2018-10-31 10:57

Unfortunately not. But we've fixed it in the version in progress currently (AppGini 5.73). We'll release it hopefully in mid Novemeber.
AppGini: Responsive, collaborative web db apps in minutes.
:idea: Learn all the tips and tricks of customizing AppGini apps through our online course.

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 190
Joined: 2013-03-21 04:37

Re: Password and session management within AppGini

Post by peebee » 2018-11-21 01:01

Just wondering how far off AppGini 5.73 with enhanced password/session security is from release?

Thanks

User avatar
a.gneady
Site Admin
Posts: 938
Joined: 2012-09-27 14:46
Contact:

Re: Password and session management within AppGini

Post by a.gneady » 2018-11-28 11:16

We've fixed the password hashing functionality in AppGini 5.73, as well as 'remember me' hardening. There are some other maintenance tasks remaining, but I hope we'll be able to release it in early December. The new password hashing would work only under PHP 5.5 or higher. For older versions of PHP, AppGini would still fall back to using MD5 hashing. But then, it's not recommended from a security perspective to use PHP versions less than 5.6 nowadays anyway as they are no longer maintained.
AppGini: Responsive, collaborative web db apps in minutes.
:idea: Learn all the tips and tricks of customizing AppGini apps through our online course.

Post Reply