SFS supports functionality for secure login by sending salted MD5 hashes of passwords to the server.
But this relies on the server storing the password in plain text. Best practices would say the server should store a salted hash, which breaks this. Can you suggest an approach if the server stores hashed passwords?
Security & hashing etc
Step1: Registration - upon registration, the application encrypts the password and then sends it to the server for database storage purpose. Note, it would be ideal if you did this via https since you cannot add random letters to the password.
Step2: Login - when you login in, have the application to encrypt the password first, i.e. var mypass = m5_encrypt(password.text), then encrypt it again along with the random key sent from the server, i.e. var myM5 = m5_encrypt(randomKeyFromServer + mypass)
Step3: Server side - upon receiving the password by using evt["pass"], store this locally. Retrieve the "hashed" password from the database, along with the random key sent to the client (var key = _server.getSecretKey(chan)) where chan is the channel of that specific user (evt["chan"]). Encrypt these two together (dbase password + key), i.e. m5_encrypt(hashedPasswordFromDatabase + key)
and then compare it with the password received from evt["pass"]
Hope this helps
Step2: Login - when you login in, have the application to encrypt the password first, i.e. var mypass = m5_encrypt(password.text), then encrypt it again along with the random key sent from the server, i.e. var myM5 = m5_encrypt(randomKeyFromServer + mypass)
Step3: Server side - upon receiving the password by using evt["pass"], store this locally. Retrieve the "hashed" password from the database, along with the random key sent to the client (var key = _server.getSecretKey(chan)) where chan is the channel of that specific user (evt["chan"]). Encrypt these two together (dbase password + key), i.e. m5_encrypt(hashedPasswordFromDatabase + key)
and then compare it with the password received from evt["pass"]
Hope this helps
Smartfox's forum is my daily newspaper.
Return to “SmartFoxServer 1.x Discussions and Help”
Who is online
Users browsing this forum: No registered users and 32 guests