Password and session management within AppGini
Posted: 2018-01-28 12:28
I was hoping this would be fixed in 5.70. Please stop using MD5 as the hashing algorithm for passwords. There are much better function that can (and should) be used instead.
http://php.net/manual/en/faq.passwords.php
The "Remember Me" function uses a poorly designed mechanism of hashing both the username and password together, meaning that the remember me function will always use the same cookie for that user. All an attacker needs to do, is get a hold of one such session, and he can gain access to the user's session. It will only change if the user decides to change their password.
Please do not use the password for anything other than what it is intended for - to simply authenticate the user when signon. It should not be used in the remember me function, or even be passed to a hook.
http://php.net/manual/en/faq.passwords.php
The "Remember Me" function uses a poorly designed mechanism of hashing both the username and password together, meaning that the remember me function will always use the same cookie for that user. All an attacker needs to do, is get a hold of one such session, and he can gain access to the user's session. It will only change if the user decides to change their password.
Please do not use the password for anything other than what it is intended for - to simply authenticate the user when signon. It should not be used in the remember me function, or even be passed to a hook.