Page 5 of 5 FirstFirst ... 345
Results 41 to 41 of 41
  1. #41
    Join Date
    Sep 2009
    Stockholm, Sweden

    Tokens are now created and stored against user accounts. A token is an salted hash of the users password hash, the token and an identifier.

    The identifier is an ip (this would be the IP of the UI).


    // 1. Client authenticates with Username/Password, generate a new token for them..
    // Generating
    var tokenId = newGuid();
    var token = randomLongText();
    var identifer = ""
    var accountsPasswordHash = "previouslySetBCryptPasswordHash"
    var tokenHash = BCrypt(ShaHash(token + accountsPasswordHash + identifier));
    // ... Return "Success" authentication along with the generated Token and TokenId
    // ... later, on next request.. Client sends Token and TokenId (no username/password)
    if (TokenId == token.Id && token.Hash == BCrypt(ShaHash(Token + account.PasswrdHash + identifier)) {
     // all good.
    Tokens expire if they have not been used after two days.

    The token itself is never stored on Procon C#'s side.

    If the identifier isn't the same, the token check will fail.

    If the users password is modified (or just re-salted) then the token check will fail.

    User has a maximum of 5 tokens by default. This would mean you can only have your account logged into 5 devices at the moment. I may increase this to 10. Given the 2 day limit, if you can login with 10 different devices then I envy that persons problems.

    Anyway, all of this means that the UI only needs your password to authenticate initially with C#. If the session collection on the UI is ever dumped then the attackers will be able to access the C# Instance, but they won't have the users original password (or a derivative of)
    I started at DICE late Oct. 2014, so ignore every post before that.



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts