I was hoping this would be fixed in 5.70. Please stop using MD5 as the hashing algorithm for passwords. There are much better function that can (and should) be used instead.
http://php.net/manual/en/faq.passwords.php
The "Remember Me" function uses a poorly designed mechanism of hashing both the username and password together, meaning that the remember me function will always use the same cookie for that user. All an attacker needs to do, is get a hold of one such session, and he can gain access to the user's session. It will only change if the user decides to change their password.
Please do not use the password for anything other than what it is intended for - to simply authenticate the user when signon. It should not be used in the remember me function, or even be passed to a hook.
Password and session management within AppGini
Re: Password and session management within AppGini
Agreed. MD5 will no longer pass penetration testing and should be replaced.
Re: Password and session management within AppGini
We plan to enhance password storage security and session management in AppGini 5.71. Stay tuned!
AppGini plugins to add more power to your apps:
- DataTalk is an innovative AppGini plugin based on ChatGPT that allows you to interact with your AppGini database using natural language questions, without writing any SQL. Check the demo video
- Mass Update plugin: Update multiple records at once and improve your workflow efficiency.
- Check our other plugins and get a generous discount of up to 30% when buying 2 or more plugins.
Re: Password and session management within AppGini
Unfortunately not. But we've fixed it in the version in progress currently (AppGini 5.73). We'll release it hopefully in mid Novemeber.
AppGini plugins to add more power to your apps:
- DataTalk is an innovative AppGini plugin based on ChatGPT that allows you to interact with your AppGini database using natural language questions, without writing any SQL. Check the demo video
- Mass Update plugin: Update multiple records at once and improve your workflow efficiency.
- Check our other plugins and get a generous discount of up to 30% when buying 2 or more plugins.
Re: Password and session management within AppGini
Just wondering how far off AppGini 5.73 with enhanced password/session security is from release?
Thanks
Thanks
Re: Password and session management within AppGini
We've fixed the password hashing functionality in AppGini 5.73, as well as 'remember me' hardening. There are some other maintenance tasks remaining, but I hope we'll be able to release it in early December. The new password hashing would work only under PHP 5.5 or higher. For older versions of PHP, AppGini would still fall back to using MD5 hashing. But then, it's not recommended from a security perspective to use PHP versions less than 5.6 nowadays anyway as they are no longer maintained.
AppGini plugins to add more power to your apps:
- DataTalk is an innovative AppGini plugin based on ChatGPT that allows you to interact with your AppGini database using natural language questions, without writing any SQL. Check the demo video
- Mass Update plugin: Update multiple records at once and improve your workflow efficiency.
- Check our other plugins and get a generous discount of up to 30% when buying 2 or more plugins.