How to check validity of password hash on serverside

Post here your questions about SFS2X. Here we discuss all server-side matters. For client API questions see the dedicated forums.

Moderators: Lapo, Bax

caseyryan
Posts: 6
Joined: 19 Sep 2018, 12:45

How to check validity of password hash on serverside

Postby caseyryan » 20 Sep 2018, 16:30

Hi!
After an hour or googling and many trials and errors I couldn't find a way to check passwords on serverside.
The problem is that C# client uses this method to hash passwords in LoginRequest

Code: Select all

PasswordUtil.MD5Password(sfs.SessionToken + password)

And the session token is always different after reconnection.
I also didn't find the way to sign up, so I'm doing it like this now:
I've created 2 zones, one for signup process and one for the rest of the work. The signup zone allows guest sessions so I'm logining in as guest and send additional params for signing up. But here's another problem. I need to store password for the newlycreated account but I can't do it because I won't be able to get the same passord next time.
The only way I see is to submit password in raw view to the server which makes these measures (cliend side hashing) useless because the validation can be done by comparing a hash stored in a database with the hash that can be created completely on serverside by using the raw password and some salt

What am I missing here?
------------
p.s. I've found this page now https://smartfoxserver.com/blog/login-with-encryption/ and it says that submiting raw passwords is a common practice for SFS
But, I can't understand another thing here. It does just check the hash for validity, basically it does just this:

Code: Select all

public boolean checkSecurePassword(ISession session, String originalPass, String encryptedPass) {
        if (originalPass != null && originalPass.length() >= 1) {
            return encryptedPass != null && encryptedPass.length() >= 1 ? encryptedPass.equalsIgnoreCase(CryptoUtils.getClientPassword(session, originalPass)) : false;
        } else {
            return false;
        }
    }

I don't see any database checks. What if I just use any password on client side? It will be hashed using sessionToken and it will definitely also pass this check on server side. Security? :shock:
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: How to check validity of password hash on serverside

Postby Lapo » 21 Sep 2018, 07:52

Hi,
first of all handling login credentials it's done in two different ways depending if you use protocol encryption or not.
We recommend the latter over the former.

The article you have linked shows both modalities:

1 -> In the "old way" (i.e. no TLS protocol encryption) you have to use the CHAP system to keep the password secure (as outline in the article).

2 -> In the new way (i.e. w/ TLS encryption) you can send the password "in clear" because TLS will protect it.

I don't see any database checks. What if I just use any password on client side?

The code snippets in the article are simplified for the sake of showing the basic logic. It's not the scope of the article to show how to check a user's password against a specific database.

If you don't know how to do that it would be best to find a generic tutorial for the specific database you're going to use.
Also you can take a look at this article from our docs that uses MySQL:
https://smartfoxserver.com/blog/custom- ... -database/

Hope it helps
Lapo
--
gotoAndPlay()
...addicted to flash games
caseyryan
Posts: 6
Joined: 19 Sep 2018, 12:45

Re: How to check validity of password hash on serverside

Postby caseyryan » 21 Sep 2018, 08:00

Thanks!
I'm using mongodb, I've found no built-in way to use this db in smartfox, so I'm building a custom connector.
For now I've created CustomLoginRequest based on LoginRequest but without password hashing. I'm using TLS, so it's gonna be no problem

Return to “SFS2X Questions”

Who is online

Users browsing this forum: No registered users and 70 guests