Page 1 of 1

Password and session management within AppGini

Posted: 2018-01-28 12:28
by Phil Massyn
I was hoping this would be fixed in 5.70. Please stop using MD5 as the hashing algorithm for passwords. There are much better function that can (and should) be used instead.

http://php.net/manual/en/faq.passwords.php

The "Remember Me" function uses a poorly designed mechanism of hashing both the username and password together, meaning that the remember me function will always use the same cookie for that user. All an attacker needs to do, is get a hold of one such session, and he can gain access to the user's session. It will only change if the user decides to change their password.

Please do not use the password for anything other than what it is intended for - to simply authenticate the user when signon. It should not be used in the remember me function, or even be passed to a hook.

Re: Password and session management within AppGini

Posted: 2018-01-31 04:48
by peebee
Agreed. MD5 will no longer pass penetration testing and should be replaced.

Re: Password and session management within AppGini

Posted: 2018-02-08 12:35
by a.gneady
We plan to enhance password storage security and session management in AppGini 5.71. Stay tuned!

Re: Password and session management within AppGini

Posted: 2018-10-30 06:37
by joebloogs
a.gneady wrote:
2018-02-08 12:35
We plan to enhance password storage security and session management in AppGini 5.71. Stay tuned!
Just wondering did this security issue get resolved, I can't see the note in the changelog.

Re: Password and session management within AppGini

Posted: 2018-10-31 10:57
by a.gneady
Unfortunately not. But we've fixed it in the version in progress currently (AppGini 5.73). We'll release it hopefully in mid Novemeber.

Re: Password and session management within AppGini

Posted: 2018-11-21 01:01
by peebee
Just wondering how far off AppGini 5.73 with enhanced password/session security is from release?

Thanks

Re: Password and session management within AppGini

Posted: 2018-11-28 11:16
by a.gneady
We've fixed the password hashing functionality in AppGini 5.73, as well as 'remember me' hardening. There are some other maintenance tasks remaining, but I hope we'll be able to release it in early December. The new password hashing would work only under PHP 5.5 or higher. For older versions of PHP, AppGini would still fall back to using MD5 hashing. But then, it's not recommended from a security perspective to use PHP versions less than 5.6 nowadays anyway as they are no longer maintained.