Created
March 25, 2012 14:28
-
-
Save cballou/2195856 to your computer and use it in GitHub Desktop.
Securing Your PHP Sessions with a Random + Unix Timestamp Salt (old, use bcrypt)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CREATE secure_login ( | |
`id` INT(11) UNSIGNED NOT NULL AUTO_INCREMENT, | |
`email` VARCHAR(120) NOT NULL, | |
`salt` VARCHAR(8) NOT NULL, | |
`password` VARCHAR(40) NOT NULL, | |
`session` VARCHAR(40) DEFAULT NULL, | |
`disabled` TINYINT(1) UNSIGNED DEFAULT 0, | |
# your hidden salt will be the reverse of the created_dt value | |
`created_dt` INT(11) UNSIGNED, | |
`modified_ts` TIMESTAMP DEFAULT CURRENT_TIMESTAMP, | |
PRIMARY KEY (`id`), | |
UNIQUE INDEX `uniq_idx` (`email`) | |
) ENGINE=InnoDB CHARSET=UTF8; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/** | |
* @param string $pass The user submitted password | |
* @param string $hashed_pass The hashed password pulled from the database | |
* @param string $created_date The user's created date pulled from the database | |
* @param string $hash_method The hashing method used to generate the hashed password | |
*/ | |
function validateLogin($pass, $hashed_pass, $created_date, $hash_method = 'sha1') { | |
$salt = strrev(date('U', strtotime($created_date)); | |
if (function_exists('hash') && in_array($hash_method, hash_algos()) { | |
return ($hashed_pass === hash($hash_method, $salt . $pass)); | |
} | |
return ($hashed_pass === sha1($salt . $pass)); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/** | |
* created_date must be a valid date() formatted string | |
*/ | |
function create_hash($string, $created_date, $hash_method = 'sha1') { | |
// the salt will be the reverse of the user's created date | |
// in seconds since the epoch | |
$salt = strrev(date('U', strtotime($created_date)); | |
if (function_exists('hash') && in_array($hash_method, hash_algos()) { | |
return hash($hash_method, $salt.$string); | |
} | |
return sha1($salt.$string); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment