I have a table in my database called (users_system) contains:
user_id
user_pass (plain text)
... some other fields
What I want is to be able to do laravel(5.2) authentication using those two fields considering the (Auth::attempt) only deal with email and hashed password.
So is that possible and if so how to do it?
You can check credentials and login user manually:
$userSystem = UserSystem::where('user_id', $userId)->where('user_pass', $password)->first();
if (!is_null($userSystem)) {
// Manually login user.
$user = User::find($userId);
Auth::login($user);
}
But this is a terrible idea to use plain text passwords. You should never do that in a real app.
Related
I want to get user data
I tried using
$user_data = App\User::where(["username"=>"admin", "password"=>bcrypt("test123")])->get();
But it is not working! I am sure the username and password is correct!
then I tried another one without bcrypt
$user_data = App\User::where(["username"=>"admin", "password"=>"test123"])->get();
And still not working!.
I don't know what is the problem.
I wondering if I can use Auth::attempt just to get the user data (without log-in)
$user_data = Auth::attempt(["username"=>"admin", "password"=>"test123"]);
Auth::attempt will signing you in. But I don't want that. I just want to get the user data only (without sign-in)
I forgot to mention that I'm creating an API...
However, I solved the problem by using Auth::once()
Auth::once(['username'=>'admin', 'password'=>'test123']);
I have google this alot, but unfortunatilty found no working solution.
I know its a bad technique, but I need to send user its password by email.
I have manage to sent user Hash password, but i am unable to decrypt this password.
The following is the procedure i am using.
$results = DB::select("select * from dockl_users where email='" . Input::get('email') ."';");
foreach($results as $data){
$password= $data->password;
$email= $data->email;
}
Mail::send('passwordRecovery', array('email' =>$password), function($message)
{
$message->to(Input::get('email') )->subject('Password Recovery');
});
The above code send Encrypted password to the user by email but when i try to decrypt, it gives me following error message.
$decrypt= Crypt::decrypt($data->password);
Invalid data.
throw new DecryptException("Invalid data.");
Kindly guide me how to achieve this..
Short answer is that you don't 'decrypt' the password (because it's not encrypted - it's hashed).
The long answer is that you shouldn't send the user their password by email, or any other way. If the user has forgotten their password, you should send them a password reset email, and allow them to change their password on your website.
Laravel has most of this functionality built in (see the Laravel documentation - I'm not going to replicate it all here. Also available for versions 4.2 and 5.0 of Laravel).
For further reading, check out this 'blogoverflow' post: Why passwords should be hashed.
For compare hashed password with the plain text password string you can use the PHP password_verify
if(password_verify('1234567', $crypt_password_string)) {
// in case if "$crypt_password_string" actually hides "1234567"
}
I'm trying to create a link that when clicked will login a user automatically and take them to a specific page.
I've thought about creating some sort of hashed string that contains the user's ID, username and a few other pieces of info. When clicked these pieces of information are looked up in the DB and if validated I login them in and redirect them to a specific page.
For sites like Twitter and Facebook when I receive an email notification and click the link in my email I'm automatically taken to my inbox on the corresponding site. I'm trying to duplicate that behavior...
Are there any security issues with doing something like this or is there a safer more preferred way?
if you want to offer this feature to your users, you have to take care of two things:
The validity of the created url must be set in time (ex: 24hours, 48hours).
The created url must only work for one specific user.
(optionnal) The created url only work for one page
I propose this kind of solution to create an url which match these criteria (it's only a proof of concept):
<?php
$privateKey = 'somethingVerySecret';
$userName = 'cedric';
$url = 'my/personal/url';
$timeLimit = new DateTime('Tomorow');
function createToken($privateKey, $url, $userName, $timeLimit){
return hash('sha256', $privateKey.$url.$userName.$timeLimit);
}
function createUrl($privateKey, $url, $userName, $timeLimit){
$hash = createToken($privateKey, $url, $userName, $timeLimit->getTimestamp());
$autoLoginUrl = http_build_query(array(
'name' => $userName,
'timeLimit' => $timeLimit,
'token' => $hash
));
return $url.'?'.$autoLoginUrl;
}
function checkUrl($privateKey){
if((int)$_GET['timeLimit'] > time() ){
return false;
}
//check the user credentials (he exists, he have right on this page)
$hash = createToken($privateKey, $_SERVER['PHP_SELF'], $_GET['name'], $_GET['timeLimit']);
return ($_GET['token'] == $hash);
}
The general standard for logging in is when a user creates an account your program should create a string of seemly random letters and numbers with a certain php function in php 5.5, and then store this in a file with some sort of pointer based on the username. Then when a user tries to login you use that same function and compare the two strings. The function being hash_pbkdf2 even though this php function supports sha... encryptions do not use those. I salt the hash code with the username. Here is an article on all website login and password things. The most secure thing you can do with your website to prevent people from brute force cracking your passwords is to limit the connection speed after a couple wrong password attempt to something so slow it would take longer than the life of the universe to crack after a couple password attempts. If you wanted to make a sort of remember me button store the username in cookies But never the password the browser will take care of the remembering password part if you label your form elements correctly.
I have a Session which contain the "user id"
I have some information stored in the user table (that I need to grab)
The question is If I should grab all data and put it in a object on each request or just make the query when an action is made?
Example #1
//Update Password
//a user object contain all data from users table...
if ($user->password == $new_password) {
$errors[] = 'You can\'t choose the same password!';
}
Example #2
//Update Password
//$current_password = query password and fetch
if ($current_password == $new_password) {
//...
}
Etc...
For simple projects, it is best to put that data in a "user object", in the session. But, only place data in that object that is not subject to rapid change, such as their username, userid, privilege level, etc.
More to the point, do not keep the user's password hash in the session, and especially do not store the user's password in plaintext in your database or in the session data. By the looks of it, I believe you may be doing just that.
Instead, use a hash function to secure the password data from reversibility.
I'm integrating an application with the osCommerce shopping cart and want users to be able to log into the app with the same account details they do with osCommerce.
Everything works fine but I got stuck on the user login system. I need to know how to check against a user entered password in my application against the osCommerce user's credentials. They're using a combination of MD5 and salt for generating the password.
How can I use that method to check my user's password?
To check against the password saved in osCommerce, just use the osCommerce function that checks the attempt against the one stored in the database. You'll find this function in the following:
catalog/includes/functions/password_funcs.php
////
// This funstion validates a plain text password with an encrpyted password
function tep_validate_password($plain, $encrypted) {
if (tep_not_null($plain) && tep_not_null($encrypted)) {
// split apart the hash / salt
$stack = explode(':', $encrypted);
if (sizeof($stack) != 2) return false;
if (md5($stack[1] . $plain) == $stack[0]) {
return true;
}
}
return false;
}
So all you need to do is extract the password column from the customers table, based on their entered email address, and compare.
tep_validate_password(password_attempt, password_from_osC)
If you're just going to include it, make sure you also include the catalog/includes/functions/general.php file since that's where the tep_not_null function is defined.