Created
March 25, 2012 13:33
-
-
Save cballou/2193924 to your computer and use it in GitHub Desktop.
Securing Your PHP Sessions with a Salt (old, use bcrypt)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CREATE TABLE `secure_login` ( | |
`id` INT(11) UNSIGNED NOT NULL AUTO_INCREMENT, | |
`email` VARCHAR(120) NOT NULL, | |
`password` VARCHAR(40) NOT NULL, | |
`session` VARCHAR(40) DEFAULT NULL, | |
`disabled` TINYINT(1) UNSIGNED DEFAULT 0, | |
`created_dt` DATETIME DEFAULT '0000-00-00 00:00:00', | |
`modified_ts` TIMESTAMP DEFAULT CURRENT_TIMESTAMP, | |
PRIMARY KEY (`id`), | |
UNIQUE INDEX `uniq_idx` (`email`) | |
) ENGINE=InnoDB CHARSET=UTF8; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
define('UNIQUE_SALT', '5&nL*dF4'); | |
/** | |
* @param string $pass The user submitted password | |
* @param string $hashed_pass The hashed password pulled from the database | |
* @param string $hash_method The hashing method used to generate the hashed password | |
*/ | |
function validateLogin($pass, $hashed_pass, $hash_method = 'sha1') { | |
if (function_exists('hash') && in_array($hash_method, hash_algos()) { | |
return ($hashed_pass === hash($hash_method, UNIQUE_SALT . $pass)); | |
} | |
return ($hashed_pass === sha1($hash_method, UNIQUE_SALT . $pass)); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
define('UNIQUE_SALT', '5&nL*dF4'); | |
function create_hash($string, $hash_method = 'sha1') { | |
if (function_exists('hash') && in_array($hash_method, hash_algos()) { | |
return hash($hash_method, UNIQUE_SALT . $string); | |
} | |
return sha1(UNIQUE_SALT . $string); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/** | |
* Generates a secure, pseudo-random password with a safe fallback. | |
*/ | |
function pseudo_rand($length) { | |
if (function_exists('openssl_random_pseudo_bytes')) { | |
$is_strong = false; | |
$rand = openssl_random_pseudo_bytes($length, $is_strong); | |
if ($is_strong === true) return $rand; | |
} | |
$rand = ''; | |
$sha = ''; | |
for ($i = 0; $i < $length; $i++) { | |
$sha = hash('sha256', $sha . mt_rand()); | |
$chr = mt_rand(0, 62); | |
$rand .= chr(hexdec($sha[$chr] . $sha[$chr + 1])); | |
} | |
return $rand; | |
} | |
/** | |
* Creates a very secure hash. Uses blowfish by default with a fallback on SHA512. | |
*/ | |
function create_hash($string, &$salt = '', $stretch_cost = 10) { | |
$salt = pseudo_rand(128); | |
$salt = substr(str_replace('+', '.', base64_encode($salt)), 0, 22); | |
if (function_exists('hash') && in_array($hash_method, hash_algos()) { | |
return crypt($string, '$2a$' . $stretch_cost . '$' . $salt); | |
} | |
return _create_hash($string, $salt); | |
} | |
/** | |
* Fall-back SHA512 hashing algorithm with stretching. | |
*/ | |
function _create_hash($password, $salt) { | |
$hash = ''; | |
for ($i = 0; $i < 20000; $i++) { | |
$hash = hash('sha512', $hash . $salt . $password); | |
} | |
return $hash; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/** | |
* @param string $pass The user submitted password | |
* @param string $hashed_pass The hashed password pulled from the database | |
* @param string $salt The salt used to generate the encrypted password | |
*/ | |
function validateLogin($pass, $hashed_pass, $salt) { | |
if (function_exists('hash') && in_array($hash_method, hash_algos()) { | |
return ($hashed_pass === crypt($pass, $hashed_pass); | |
} | |
return ($hashed_pass === _create_hash($pass, $salt)); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment