Log message #4226363

# At Username Text
# Feb 11th 2020, 17:37 phantomwatson Another option is to randomly generate a single salt (or use the `Security.salt` configuration value that's already in CakePHP) that you use for everyone's token. Then, you don't need to store the token in the database at all, because whenever there's a token in a request, you can compare it to `Security::hash($entity->username . $entity->password . $salt, 'sha1', true);`
# Feb 11th 2020, 17:35 damiano in db
# Feb 11th 2020, 17:35 damiano yes
# Feb 11th 2020, 17:35 phantomwatson So this token is stored in the database?
# Feb 11th 2020, 17:34 phantomwatson If you want to get wacky, you could generate the token by `hash($username . $passwordHash)` in order for that remote possibility of someone deriving the password from the publicly-transmitted authentication token to be even less likely. But whenever people are hashing hashes, people tend to consider that a code smell that indicates that something dumb is happening.
# Feb 11th 2020, 17:34 damiano maybe randomString() there is pointless
# Feb 11th 2020, 17:34 damiano this is what i did: `$entity->token = Security::hash($entity->username . $entity->password . Security::randomString(24), 'sha1', true);`
# Feb 11th 2020, 17:31 damiano @phantomwatson sure!! hehe
# Feb 11th 2020, 17:31 phantomwatson (Assuming usernames must be unique ;) )
# Feb 11th 2020, 17:31 damiano but i must add a salt for sure
# Feb 11th 2020, 17:31 damiano yeah i would like to avoid it, i mean, i would like to save and stop, as @neon1024 said i can hash(user + password) in that way i will surelly get an unique token
# Feb 11th 2020, 17:30 phantomwatson If you just need a unique string and that's the only requirement, then you could literally just generate a random string and test it for uniqueness before setting it. That would be perfectly fine for a small user pool, but might cause long database lookups if you have a billion users.
# Feb 11th 2020, 17:30 damiano however if my database gets exposed, they will copy the token and that's all, they can use whatever they want with user token... i am implementing login via user/password, token and cookie
# Feb 11th 2020, 17:28 damiano @phantomwatson but are there any other method to create a safe token ?
# Feb 11th 2020, 17:27 damiano ok @phantomwatson
# Feb 11th 2020, 17:27 damiano UUIDs look insecure to me
# Feb 11th 2020, 17:27 slackebot salt, to do the same thing, they would essentially need to guess two passwords at the same time, and one of them is guaranteed to be long enough that it's impractical to ever brute-force it.
# Feb 11th 2020, 17:27 phantomwatson If it's not salted, and if your database gets exposed, and if someone else knows what hashing function you're using and how your inputs are concatenated together, they could theoretically (and easily, if the password is weak) generate a rainbow table of hashes that correspond to different passwords until they find a hash that matches the one stored for that user. Then they'll know what the user's password is. With a long and secret
# Feb 11th 2020, 17:22 damiano sha256 seems too long for a token
# Feb 11th 2020, 17:21 damiano @phantomwatson otherwise? :)
# Feb 11th 2020, 17:21 phantomwatson @damiano, if you're using a salt that you keep secret, `sha1()` should be sufficient.
# Feb 11th 2020, 17:02 damiano @neon1024 sha1() is enough ?
# Feb 11th 2020, 16:49 damiano i will check if the entity is new and then hash user/password)that
# Feb 11th 2020, 16:49 damiano ok
# Feb 11th 2020, 16:40 neon1024 By hashing data from the object, you’re using unique inputs to generate a unique output was my though
# Feb 11th 2020, 16:39 neon1024 Hash something from the object id and username or something
# Feb 11th 2020, 16:38 neon1024 No, you’ll still get duplicates
# Feb 11th 2020, 16:37 damiano @neon1024 generate random string and then hash() ?
# Feb 11th 2020, 16:32 neon1024 If you want to avoid duplicates you might consider hasing instead
# Feb 11th 2020, 16:32 neon1024 Which is what a ` do{} while()` loop is for
# Feb 11th 2020, 16:31 neon1024 Sounds like what you mean is. I want to generate random strings and test that they don’t already exist in my dataset
# Feb 11th 2020, 16:31 neon1024 That is the essence of random
# Feb 11th 2020, 16:31 neon1024 A random string will produce the same string
# Feb 11th 2020, 16:30 damiano i am adding it in beforesave
# Feb 11th 2020, 16:30 damiano @neon1024 i do not know what it is using under the hood, there can be collosion? as i told you i need random string to use as TOKEN (for authentication)
# Feb 11th 2020, 16:30 neon1024 …but I see it has randomString now :)
# Feb 11th 2020, 16:29 neon1024 I used this and converted to string https://book.cakephp.org/3/en/core-libraries/security.html#getting-secure-random-data
# Feb 11th 2020, 16:24 damiano is it safe using randomString() to create a token?
# Feb 11th 2020, 15:43 sebastian.krzewinski. not to login page
# Feb 11th 2020, 15:43 sebastian.krzewinski. authentication redirect to 404
# Feb 11th 2020, 15:42 sebastian.krzewinski. i cant even log in