| # |
Jul 12th 2018, 16:22 |
 chris-andre |
Hi. I'm using TCPDF. When adding `<img src="/img/cake.power.gif" />` it works, but when I use `<img src="/users/img" />`it doesn't show the image. img() action in UsersController has `return $this->response->withFile('{path_to_file}')`. When I navigate to /users/img, the image is shown as expected. Any ideas? |
| # |
Jul 12th 2018, 16:16 |
mdunham_ |
hola amigos |
| # |
Jul 12th 2018, 15:42 |
camdenbassett |
a-password-multiple-times |
| # |
Jul 12th 2018, 15:42 |
camdenbassett |
after doing a little more research, it looks like it might be a better idea to just switch all the passwords to a single stronger hash rather than running them through multiple hashes. Basically the hash might only be as strong as the weakest hash in the chain https://softwareengineering.stackexchange.com/questions/115406/is-it-more-secure-to-hash- |
| # |
Jul 12th 2018, 15:38 |
camdenbassett |
no, as far as I know no-one has gotten the DB. Just wanting to upgrade it before there is trouble. |
| # |
Jul 12th 2018, 15:38 |
ricksaccous |
if you assume someone did already then it's not safe because someone has the unhashed passwords anyway |
| # |
Jul 12th 2018, 15:37 |
ricksaccous |
well if someone already compromised your database, yes, if not it's fine, lol |
| # |
Jul 12th 2018, 15:36 |
camdenbassett |
I was using them as examples. Basically my main question is, is it safe to send a password through multiple hash algorithms if one of them is insecure, like md5, and others are more secure, like sha or Argon. |
| # |
Jul 12th 2018, 15:35 |
neon1024 |
Wasn’t there a shell to populate counter_cache fields? |
| # |
Jul 12th 2018, 15:35 |
camdenbassett |
and I know md5 and sha1 aren't very secure anymore :) |
| # |
Jul 12th 2018, 15:34 |
dereuromark |
That was the old 2.x docs: https://github.com/dereuromark/cakephp-shim/blob/2.x/docs/Auth.md |
| # |
Jul 12th 2018, 15:34 |
camdenbassett |
Thanks, I'll take a look at that. |
| # |
Jul 12th 2018, 15:33 |
ricksaccous |
https://book.cakephp.org/3.0/en/controllers/components/authentication.html#changing-hashing-algorithms |
| # |
Jul 12th 2018, 15:32 |
ricksaccous |
i haven't done it i just know it exists, lel |
| # |
Jul 12th 2018, 15:32 |
ricksaccous |
you can set the old method and set the new one, and it will make it secure for you |
| # |
Jul 12th 2018, 15:32 |
dereuromark |
and use a fallback hasher to upgrade since 3+ years |
| # |
Jul 12th 2018, 15:32 |
dereuromark |
you should use neither of them :slightly_smiling_face: |
| # |
Jul 12th 2018, 15:32 |
ricksaccous |
there's a cakephpway to redo password hashing |
| # |
Jul 12th 2018, 15:30 |
camdenbassett |
I just need to know if there are any advantages/disadvantages to sending a password through md5 then sha vs just through sha. I have an old old old password system that I'm trying to upgrade, and the easiest route would be to just apply one hash on top of another, but I remember reading online somewhere that that might not be very secure. |
| # |
Jul 12th 2018, 15:28 |
dereuromark |
yes |
| # |
Jul 12th 2018, 15:28 |
camdenbassett |
@dereuromark was that question directed at me? |
| # |
Jul 12th 2018, 15:28 |
josbeir |
too much code |
| # |
Jul 12th 2018, 15:27 |
josbeir |
pff i hate writing unit tests for components |
| # |
Jul 12th 2018, 15:26 |
dereuromark |
those are good defaults, and rather safe :slightly_smiling_face: |
| # |
Jul 12th 2018, 15:25 |
dereuromark |
what do you need to know/do besides what CakePHP offers out of the box? |
| # |
Jul 12th 2018, 15:25 |
camdenbassett |
Anyone know of a good irc channel to discuss the cryptographic storage of passwords? |
| # |
Jul 12th 2018, 15:24 |
josbeir |
np |
| # |
Jul 12th 2018, 15:24 |
okelet |
thanks! |
| # |
Jul 12th 2018, 15:24 |
okelet |
i will try with a migration, unmarking every time i run it |
| # |
Jul 12th 2018, 15:24 |
okelet |
yes, i know, i have some migrations |
| # |
Jul 12th 2018, 15:23 |
josbeir |
check out phinx docs |
| # |
Jul 12th 2018, 15:23 |
josbeir |
you have $this->hasTable('table'); $table->hasColumn('column'); etc.. |
| # |
Jul 12th 2018, 15:21 |
josbeir |
you have methods like exists() etc |
| # |
Jul 12th 2018, 15:21 |
josbeir |
it should work ok |
| # |
Jul 12th 2018, 15:21 |
josbeir |
that has extra checks in the up/down functions |
| # |
Jul 12th 2018, 15:21 |
josbeir |
but still, all of your logic can be inside a migration class |
| # |
Jul 12th 2018, 15:20 |
okelet |
ah ok ok |
| # |
Jul 12th 2018, 15:20 |
josbeir |
bin/cake migrations rollback |
| # |
Jul 12th 2018, 15:20 |
josbeir |
well you can rollback |
| # |
Jul 12th 2018, 15:20 |
josbeir |
i dont think you can run migrations classes from a command, you can probably call the migration shell |
| # |
Jul 12th 2018, 15:19 |
okelet |
can I unmark a migration from cmd? |