| # |
May 30th 2016, 09:10 |
ionas |
if any of you still wants to grab a bite I am leaving my appartement soon @ amsterdam |
| # |
May 30th 2016, 09:09 |
ionas |
all the best to you guys |
| # |
May 30th 2016, 09:09 |
ionas |
client javascript based - application password_hash based - then on the fly salts for the database but still based on password_hash :) |
| # |
May 30th 2016, 09:09 |
ionas |
you could - I think - still use password hash two times ;) |
| # |
May 30th 2016, 09:08 |
hmic |
as i said, there might be cases you might think and might want to do better - feel free to. |
| # |
May 30th 2016, 09:07 |
ionas |
yeah but security may assume bad code ;p |
| # |
May 30th 2016, 09:07 |
hmic |
*if* thats the case, you have serious problems anyways |
| # |
May 30th 2016, 09:07 |
ionas |
client salt+hash, application salt + hash, db field salt + hash ;) |
| # |
May 30th 2016, 09:07 |
hmic |
that helps only if an attacker can overwrite passwords of other users by known (hashed) values |
| # |
May 30th 2016, 09:06 |
hmic |
ionas, its just not neccessary |
| # |
May 30th 2016, 09:06 |
ionas |
hmic: the only thing that I kinda miss is double salting |
| # |
May 30th 2016, 09:06 |
hmic |
you can still provide a custom password hasher to the auth component and use it in your UserEntity to set the password hash too. |
| # |
May 30th 2016, 09:05 |
hmic |
if you need something else and think you can do better (for your specific usecase, maybe) |
| # |
May 30th 2016, 09:04 |
hmic |
of course you can copy a hash to another user and the password will work |
| # |
May 30th 2016, 09:04 |
hmic |
http://php.net/manual/de/function.password-hash.php |
| # |
May 30th 2016, 09:04 |
JohnWayne |
I have now try to copy hashed pass from one to another user and its working... I was thinking that is always "new" hash for each letter |
| # |
May 30th 2016, 09:03 |
JohnWayne |
And is it a little bit strange that for instance "a" is always for instance "sadasda%§$$SDA" |
| # |
May 30th 2016, 09:03 |
hmic |
which is bcrypt under he hood as of now (but might change if thats considered insecure in the future) |
| # |
May 30th 2016, 09:02 |
hmic |
password_hash() |
| # |
May 30th 2016, 09:02 |
hmic |
JohnWayne, php default |
| # |
May 30th 2016, 09:02 |
JohnWayne |
Which hashing system use ckaphp 3 for passwords |
| # |
May 30th 2016, 08:56 |
phpcoder |
thanks ionas ! |
| # |
May 30th 2016, 08:56 |
phpcoder |
) |
| # |
May 30th 2016, 08:55 |
rubyan |
nope. Fatal error: Call to undefined method Cake\I18n\Time::week() |
| # |
May 30th 2016, 08:54 |
hmic |
->week() |
| # |
May 30th 2016, 08:54 |
rubyan |
To get the current weeknumber, why cant I do Cake\I18n\Time::now()->week ? |
| # |
May 30th 2016, 08:53 |
ionas |
or in your Amsterdam branch ;) |
| # |
May 30th 2016, 08:53 |
hmic |
sure |
| # |
May 30th 2016, 08:53 |
ionas |
in Germany? |
| # |
May 30th 2016, 08:53 |
hmic |
ionas, im in the office already |
| # |
May 30th 2016, 08:51 |
ionas |
anyone of you guys still wants to have a bite or dirnk something? hmic? |
| # |
May 30th 2016, 08:51 |
ionas |
have a great afternoon, I feel a bit sad that I have to go home from cakefest now |
| # |
May 30th 2016, 08:50 |
ionas |
phpcoder: if you are using the opt-out feature you may want to consider adding the clause()->traverse() trick to the book as a PR to the docs <3 |
| # |
May 30th 2016, 08:48 |
ionas |
you will be happier later not repeating my mistakes :pö |
| # |
May 30th 2016, 08:47 |
ionas |
got it? |
| # |
May 30th 2016, 08:47 |
phpcoder |
yes ok |
| # |
May 30th 2016, 08:47 |
ionas |
instead of hacking opt-out |
| # |
May 30th 2016, 08:47 |
phpcoder |
yeah there could be many |
| # |
May 30th 2016, 08:47 |
ionas |
you might want to consider fixing your query composition |
| # |
May 30th 2016, 08:47 |
ionas |
however as I said |
| # |
May 30th 2016, 08:47 |
ionas |
maybe :) |