After an hour or googling and many trials and errors I couldn't find a way to check passwords on serverside.
The problem is that C# client uses this method to hash passwords in LoginRequest
Code: Select all
PasswordUtil.MD5Password(sfs.SessionToken + password)
And the session token is always different after reconnection.
I also didn't find the way to sign up, so I'm doing it like this now:
I've created 2 zones, one for signup process and one for the rest of the work. The signup zone allows guest sessions so I'm logining in as guest and send additional params for signing up. But here's another problem. I need to store password for the newlycreated account but I can't do it because I won't be able to get the same passord next time.
The only way I see is to submit password in raw view to the server which makes these measures (cliend side hashing) useless because the validation can be done by comparing a hash stored in a database with the hash that can be created completely on serverside by using the raw password and some salt
What am I missing here?
------------
p.s. I've found this page now https://smartfoxserver.com/blog/login-with-encryption/ and it says that submiting raw passwords is a common practice for SFS
But, I can't understand another thing here. It does just check the hash for validity, basically it does just this:
Code: Select all
public boolean checkSecurePassword(ISession session, String originalPass, String encryptedPass) {
if (originalPass != null && originalPass.length() >= 1) {
return encryptedPass != null && encryptedPass.length() >= 1 ? encryptedPass.equalsIgnoreCase(CryptoUtils.getClientPassword(session, originalPass)) : false;
} else {
return false;
}
}
I don't see any database checks. What if I just use any password on client side? It will be hashed using sessionToken and it will definitely also pass this check on server side. Security?