Password and session management within AppGini

Please report bugs and any annoyances here. Kindly include all possible details: steps to reproduce, expected result, actual result, screenshots, ... etc.
Post Reply
Phil Massyn
Posts: 11
Joined: 2018-01-04 18:36

Password and session management within AppGini

Post by Phil Massyn » 2018-01-28 12:28

I was hoping this would be fixed in 5.70. Please stop using MD5 as the hashing algorithm for passwords. There are much better function that can (and should) be used instead.

http://php.net/manual/en/faq.passwords.php

The "Remember Me" function uses a poorly designed mechanism of hashing both the username and password together, meaning that the remember me function will always use the same cookie for that user. All an attacker needs to do, is get a hold of one such session, and he can gain access to the user's session. It will only change if the user decides to change their password.

Please do not use the password for anything other than what it is intended for - to simply authenticate the user when signon. It should not be used in the remember me function, or even be passed to a hook.

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 207
Joined: 2013-03-21 04:37

Re: Password and session management within AppGini

Post by peebee » 2018-01-31 04:48

Agreed. MD5 will no longer pass penetration testing and should be replaced.

User avatar
a.gneady
Site Admin
Posts: 962
Joined: 2012-09-27 14:46
Contact:

Re: Password and session management within AppGini

Post by a.gneady » 2018-02-08 12:35

We plan to enhance password storage security and session management in AppGini 5.71. Stay tuned!
:idea: Learn all the tips and tricks of customizing AppGini apps through our online course.

:arrow: Summary Reports plugin enables you to build powerful reports and charts inside your AppGini application through a few simple steps. See the big picture and discover trends in your data that empower you to take the right decisions confidently.

:arrow: Search Page Maker enables you to build user-friendly yet powerful search pages for your AppGini application by simply dragging and dropping the fields you want to include in search.

joebloogs
Posts: 13
Joined: 2013-04-17 13:17
Location: Perth

Re: Password and session management within AppGini

Post by joebloogs » 2018-10-30 06:37

a.gneady wrote:
2018-02-08 12:35
We plan to enhance password storage security and session management in AppGini 5.71. Stay tuned!
Just wondering did this security issue get resolved, I can't see the note in the changelog.

User avatar
a.gneady
Site Admin
Posts: 962
Joined: 2012-09-27 14:46
Contact:

Re: Password and session management within AppGini

Post by a.gneady » 2018-10-31 10:57

Unfortunately not. But we've fixed it in the version in progress currently (AppGini 5.73). We'll release it hopefully in mid Novemeber.
:idea: Learn all the tips and tricks of customizing AppGini apps through our online course.

:arrow: Summary Reports plugin enables you to build powerful reports and charts inside your AppGini application through a few simple steps. See the big picture and discover trends in your data that empower you to take the right decisions confidently.

:arrow: Search Page Maker enables you to build user-friendly yet powerful search pages for your AppGini application by simply dragging and dropping the fields you want to include in search.

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 207
Joined: 2013-03-21 04:37

Re: Password and session management within AppGini

Post by peebee » 2018-11-21 01:01

Just wondering how far off AppGini 5.73 with enhanced password/session security is from release?

Thanks

User avatar
a.gneady
Site Admin
Posts: 962
Joined: 2012-09-27 14:46
Contact:

Re: Password and session management within AppGini

Post by a.gneady » 2018-11-28 11:16

We've fixed the password hashing functionality in AppGini 5.73, as well as 'remember me' hardening. There are some other maintenance tasks remaining, but I hope we'll be able to release it in early December. The new password hashing would work only under PHP 5.5 or higher. For older versions of PHP, AppGini would still fall back to using MD5 hashing. But then, it's not recommended from a security perspective to use PHP versions less than 5.6 nowadays anyway as they are no longer maintained.
:idea: Learn all the tips and tricks of customizing AppGini apps through our online course.

:arrow: Summary Reports plugin enables you to build powerful reports and charts inside your AppGini application through a few simple steps. See the big picture and discover trends in your data that empower you to take the right decisions confidently.

:arrow: Search Page Maker enables you to build user-friendly yet powerful search pages for your AppGini application by simply dragging and dropping the fields you want to include in search.

Post Reply