# |
Feb 11th 2020, 17:28 |
damiano |
@phantomwatson but are there any other method to create a safe token ? |
# |
Feb 11th 2020, 17:27 |
damiano |
ok @phantomwatson |
# |
Feb 11th 2020, 17:27 |
damiano |
UUIDs look insecure to me |
# |
Feb 11th 2020, 17:27 |
slackebot |
salt, to do the same thing, they would essentially need to guess two passwords at the same time, and one of them is guaranteed to be long enough that it's impractical to ever brute-force it. |
# |
Feb 11th 2020, 17:27 |
phantomwatson |
If it's not salted, and if your database gets exposed, and if someone else knows what hashing function you're using and how your inputs are concatenated together, they could theoretically (and easily, if the password is weak) generate a rainbow table of hashes that correspond to different passwords until they find a hash that matches the one stored for that user. Then they'll know what the user's password is. With a long and secret |
# |
Feb 11th 2020, 17:22 |
damiano |
sha256 seems too long for a token |
# |
Feb 11th 2020, 17:21 |
damiano |
@phantomwatson otherwise? :) |
# |
Feb 11th 2020, 17:21 |
phantomwatson |
@damiano, if you're using a salt that you keep secret, `sha1()` should be sufficient. |
# |
Feb 11th 2020, 17:02 |
damiano |
@neon1024 sha1() is enough ? |
# |
Feb 11th 2020, 16:49 |
damiano |
i will check if the entity is new and then hash user/password)that |
# |
Feb 11th 2020, 16:49 |
damiano |
ok |
# |
Feb 11th 2020, 16:40 |
neon1024 |
By hashing data from the object, you’re using unique inputs to generate a unique output was my though |
# |
Feb 11th 2020, 16:39 |
neon1024 |
Hash something from the object id and username or something |
# |
Feb 11th 2020, 16:38 |
neon1024 |
No, you’ll still get duplicates |
# |
Feb 11th 2020, 16:37 |
damiano |
@neon1024 generate random string and then hash() ? |
# |
Feb 11th 2020, 16:32 |
neon1024 |
If you want to avoid duplicates you might consider hasing instead |
# |
Feb 11th 2020, 16:32 |
neon1024 |
Which is what a ` do{} while()` loop is for |
# |
Feb 11th 2020, 16:31 |
neon1024 |
Sounds like what you mean is. I want to generate random strings and test that they don’t already exist in my dataset |
# |
Feb 11th 2020, 16:31 |
neon1024 |
That is the essence of random |
# |
Feb 11th 2020, 16:31 |
neon1024 |
A random string will produce the same string |
# |
Feb 11th 2020, 16:30 |
damiano |
i am adding it in beforesave |
# |
Feb 11th 2020, 16:30 |
damiano |
@neon1024 i do not know what it is using under the hood, there can be collosion? as i told you i need random string to use as TOKEN (for authentication) |
# |
Feb 11th 2020, 16:30 |
neon1024 |
…but I see it has randomString now :) |
# |
Feb 11th 2020, 16:29 |
neon1024 |
I used this and converted to string https://book.cakephp.org/3/en/core-libraries/security.html#getting-secure-random-data |
# |
Feb 11th 2020, 16:24 |
damiano |
is it safe using randomString() to create a token? |
# |
Feb 11th 2020, 15:43 |
sebastian.krzewinski. |
not to login page |
# |
Feb 11th 2020, 15:43 |
sebastian.krzewinski. |
authentication redirect to 404 |
# |
Feb 11th 2020, 15:42 |
sebastian.krzewinski. |
i cant even log in |
# |
Feb 11th 2020, 15:42 |
sebastian.krzewinski. |
autherization |
# |
Feb 11th 2020, 15:42 |
sebastian.krzewinski. |
authentication |
# |
Feb 11th 2020, 15:42 |
dereuromark |
what part isnt working? can you be more specific on those? |
# |
Feb 11th 2020, 15:41 |
sebastian.krzewinski. |
things from doc github about tuts are not work too |
# |
Feb 11th 2020, 15:23 |
challgren |
I don't think it's ever been document, since you're experiencing the issue I would suggest doing a pull request |
# |
Feb 11th 2020, 15:20 |
damiano |
however it works! |
# |
Feb 11th 2020, 15:20 |
damiano |
@challgren no no the documentation is awesome, it misses the unload part only :) |
# |
Feb 11th 2020, 15:19 |
sebastian.krzewinski. |
https://i.imgur.com/W8j3d0Q.png |
# |
Feb 11th 2020, 15:19 |
sebastian.krzewinski. |
yea but i dont know .. i can do something wrong there |
# |
Feb 11th 2020, 15:13 |
pieceof |
symfony is waitin 4 you |
# |
Feb 11th 2020, 15:08 |
challgren |
If you are using an IDE you can always “Go to declaration” and inspect the code from there. |
# |
Feb 11th 2020, 15:07 |
challgren |
Your acting like nothing is documented. If you feel something isn’t documented well please open an issue and/or PR |
# |
Feb 11th 2020, 15:06 |
damiano |
@challgren i try there is no documentation |