Implemented better password hashing algorithm

master
Thomas Hooge 2 years ago
parent c13c7494bf
commit 08c6d42b3c
  1. 26
      lib/user.class.php

@ -82,8 +82,24 @@
// any users? // any users?
if ($user_counter>0) { if ($user_counter>0) {
// compare passwords // compare passwords
if(!strcmp(md5($user_pass), $users[0]['user_pass'])) { if(!strcmp(md5($user_pass), rtrim($users[0]['user_pass']))) {
// all ok: user is logged in, register session data // all ok: user is logged in
// md5 match but outdated. rewrite with new algo
$newhash = password_hash($user_pass, PASSWORD_BCRYPT);
$query = "UPDATE user SET user_pass='" . $newhash. "' WHERE user_id=" . $users[0]['user_id'];
$db->db_update($query);
} else {
if (! password_verify($user_pass, $users[0]['user_pass'])) {
return FALSE;
}
}
} else {
return FALSE;
}
// register session data
$_SESSION['suser_id'] = $users[0]['user_id']; $_SESSION['suser_id'] = $users[0]['user_id'];
$_SESSION['suser_displayname'] = $users[0]['user_displayname']; $_SESSION['suser_displayname'] = $users[0]['user_displayname'];
$_SESSION['suser_language'] = $users[0]['user_language']; $_SESSION['suser_language'] = $users[0]['user_language'];
@ -103,12 +119,6 @@
$_SESSION['suser_menu_vlans'] = $users[0]['user_menu_vlans']; $_SESSION['suser_menu_vlans'] = $users[0]['user_menu_vlans'];
$_SESSION['suser_menu_zones'] = $users[0]['user_menu_zones']; $_SESSION['suser_menu_zones'] = $users[0]['user_menu_zones'];
$_SESSION['suser_tooltips'] = $users[0]['user_tooltips']; $_SESSION['suser_tooltips'] = $users[0]['user_tooltips'];
} else {
return FALSE;
}
} else {
return FALSE;
}
// no errors found, return // no errors found, return
return TRUE; return TRUE;