diff --git a/db_structure.sql b/db_structure.sql index e324b2d..5d13984 100644 --- a/db_structure.sql +++ b/db_structure.sql @@ -60,10 +60,11 @@ CREATE TABLE `User` ( `name` varchar(40) NOT NULL, `email` varchar(50) DEFAULT NULL, `emailVerified` tinyint(1) NOT NULL, - `password` varchar(32) DEFAULT NULL, + `passwordHash` varchar(64) DEFAULT NULL, + `passwordSalt` varchar(5) DEFAULT NULL, `ipHost` varchar(20) DEFAULT NULL, `loginDate` datetime DEFAULT NULL, - `sessionHash` varchar(32) DEFAULT NULL, + `cookieHash` varchar(32) DEFAULT NULL, `superUser` tinyint(1) NOT NULL, `enabled` tinyint(1) NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=latin1; @@ -72,8 +73,8 @@ CREATE TABLE `User` ( -- Dumping data for table `User` -- -INSERT INTO `User` (`id`, `name`, `email`, `emailVerified`, `password`, `facebookUid`, `sessionId`, `ipHost`, `loginDate`, `sessionHash`, `superUser`, `enabled`) VALUES -(1, 'Admin Admin', 'admin@example.com', 1, '', NULL, '', '', '1970-01-01 01:00:0', '', 1, 1); +INSERT INTO `User` (`id`, `name`, `email`, `emailVerified`, `passwordHash`, `passwordSalt`, `ipHost`, `loginDate`, `cookieHash`, `superUser`, `enabled`) VALUES +(1, 'Admin Admin', 'admin', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', '', '1970-01-01 01:00:0', '', 1, 1); -- -------------------------------------------------------- @@ -120,8 +121,7 @@ ALTER TABLE `Image` ALTER TABLE `User` ADD PRIMARY KEY (`id`), ADD KEY `email` (`email`), - ADD KEY `sessionHash` (`sessionHash`), - ADD KEY `facebookUid` (`facebookUid`); + ADD KEY `cookieHash` (`cookieHash`); -- -- Indexes for table `Video` diff --git a/db_test_data.sql b/db_test_data.sql index 5ca3599..5ca276d 100644 --- a/db_test_data.sql +++ b/db_test_data.sql @@ -1640,18 +1640,18 @@ INSERT INTO `Image` (`id`, `folder`, `filename`, `user`, `title`, `description`, -- Dumping data for table `User` -- -INSERT INTO `User` (`id`, `name`, `email`, `emailVerified`, `password`, `facebookUid`, `sessionId`, `ipHost`, `loginDate`, `sessionHash`, `superUser`, `enabled`) VALUES -(6, 'User 01', 'test@koc.se', 1, '6b8186c16808026b6f1dc60b148ced42', NULL, '95784E87A1640E85C37D7F1639E5F78C', '192.176.1.81', '2017-11-29 16:38:50', 'a0e09c1108fc5b004fcef94c6e0bb542', 1, 1), -(23, 'User 02', 'test@example.com', 1, '4580389f38088ec92c5eae50d9a2403b', NULL, '73522EA6720A8B612DB183016D1AB718', '91.7.201.37', '2017-10-23 16:38:25', '0ea7b083e0ac6db2b07d907913e190fd', 0, 1), -(25, 'User 03', 'test@example.com', 1, NULL, NULL, '6B8A79652F84DF3CCA7381D693478FD1', 'koc.se', '2011-09-30 09:33:12', '62a29eab987b7a3953111cb602766f09', 0, 1), -(27, 'User 05', 'test@example.com', 1, '20cca4a3c87f8b8ffaa9e1754cee8bdf', NULL, 'F186D18D72B80EE5A7C15F2BF2ED144D', '86.84.84.192', '2017-09-17 14:32:29', 'be3286ac15e5c93f6104642fb50c23ff', 0, 1), -(28, 'User 06', 'test@example.com', 1, 'c2087d8beea7df99d23292a0f805e34e', NULL, '3BA5AB8B39C12EA6F7D86529F189180B', 'koc.se', '2012-05-09 15:43:13', '1e74987a3d3ccc1dfdce1bb35c95dbee', 0, 1), -(29, 'User 07', 'test@example.com', 1, 'f88910b4a83f7d074889aa02982e1eab', NULL, '402511A763FF4872B8D886C658C6EEFB', 'koc.se', '2012-10-31 18:52:15', '859f403053d7925731f611e5f8a1534b', 0, 1), -(30, 'User 08', 'test@example.com', 1, '709e024ac8980bca06c0ec32ddcc1870', NULL, '48B523CD2A5B3F4185B756102448A9D4', 'koc.se', '2012-08-02 12:30:52', 'c2af6f2e738b67d5422e99f4ee6322cf', 0, 1), -(33, 'User 09', 'test@example.com', 1, '755134b80c4f2f809314999da089742e', NULL, '730149420D78026FBC3DF33303CFD637', 'koc.se', '2012-11-20 20:56:22', 'e264557b8ee2dc6cb30686b1e4b49545', 0, 1), -(35, 'User 10', 'test@example.com', 1, '6e010025868ff207d098954324849e89', NULL, '6017712D1C325EEC1F3AFB693A93ED31', 'www.koc.se', '2014-09-18 21:17:25', '152d20d7d48df05bafef1fe32023d085', 0, 1), -(36, 'User 11', 'test@example.com', 1, '25d55ad283aa400af464c76d713c07ad', NULL, '70489CE7358FDFD6279D70EF20916FE6', 'koc.se', '2013-09-04 23:35:59', '0929202e64e78bab7d787873723ec979', 0, 1), -(37, 'User 12', 'test@example.com', 0, '8cd18c951d9964343131aeb65b1dfaca', NULL, 'C38C6D0D49AFF8E625AFE4E726BAF5CE', 'koc.se', '2015-01-09 15:34:36', '6c74b9abd564b34313af7c5161557a80', 0, 1), -(43, 'User 13', 'test@example.com', 0, '465860201c448343cf8a146bdd6868dd', NULL, 'A0DC6C15A921B653059D42BCD3F5EEBF', '91.7.239.138', '2017-08-01 23:48:15', '20a8626ffec27e2f90dc4bbaace4f995', 0, 1); +INSERT INTO `User` (`id`, `name`, `email`, `emailVerified`, `passwordHash`, `passwordSalt`, `ipHost`, `loginDate`, `cookieHash`, `superUser`, `enabled`) VALUES +(6, 'User 01', 'test@koc.se', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', '192.176.1.81', '2017-11-29 16:38:50', 'a0e09c1108fc5b004fcef94c6e0bb542', 1, 1), +(23, 'User 02', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', '91.7.201.37', '2017-10-23 16:38:25', '0ea7b083e0ac6db2b07d907913e190fd', 0, 1), +(25, 'User 03', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2011-09-30 09:33:12', '62a29eab987b7a3953111cb602766f09', 0, 1), +(27, 'User 05', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', '86.84.84.192', '2017-09-17 14:32:29', 'be3286ac15e5c93f6104642fb50c23ff', 0, 1), +(28, 'User 06', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2012-05-09 15:43:13', '1e74987a3d3ccc1dfdce1bb35c95dbee', 0, 1), +(29, 'User 07', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2012-10-31 18:52:15', '859f403053d7925731f611e5f8a1534b', 0, 1), +(30, 'User 08', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2012-08-02 12:30:52', 'c2af6f2e738b67d5422e99f4ee6322cf', 0, 1), +(33, 'User 09', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2012-11-20 20:56:22', 'e264557b8ee2dc6cb30686b1e4b49545', 0, 1), +(35, 'User 10', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'www.koc.se', '2014-09-18 21:17:25', '152d20d7d48df05bafef1fe32023d085', 0, 1), +(36, 'User 11', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2013-09-04 23:35:59', '0929202e64e78bab7d787873723ec979', 0, 1), +(37, 'User 12', 'test@example.com', 0, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2015-01-09 15:34:36', '6c74b9abd564b34313af7c5161557a80', 0, 1), +(43, 'User 13', 'test@example.com', 0, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', '91.7.239.138', '2017-08-01 23:48:15', '20a8626ffec27e2f90dc4bbaace4f995', 0, 1); -- -------------------------------------------------------- diff --git a/src/zall/action/user/ModifyUserStatusAction.java b/src/zall/action/user/ModifyUserStatusAction.java index 37adc0e..0afabbd 100755 --- a/src/zall/action/user/ModifyUserStatusAction.java +++ b/src/zall/action/user/ModifyUserStatusAction.java @@ -37,10 +37,10 @@ public class ModifyUserStatusAction extends ZalleryAction { if (request.getParameter("email") != null) target_user.setEmail(request.getParameter("email")); if (request.getParameter("password") != null) { - if (target_user.getPassword() == null) + if (target_user.getPasswordHash() == null) target_user.setPassword(request.getParameter("password")); else if (request.getParameter("oldPassword") != null) - if (target_user.getPassword().equals(request.getParameter("oldPassword"))) + if (target_user.getPasswordHash().equals(request.getParameter("oldPassword"))) target_user.setPassword(request.getParameter("password")); else { msgs.add(new UserMessage(MessageLevel.ERROR, "Wrong password!")); diff --git a/src/zall/bean/User.java b/src/zall/bean/User.java index d8b2f79..ce0172b 100755 --- a/src/zall/bean/User.java +++ b/src/zall/bean/User.java @@ -20,7 +20,8 @@ public class User extends DBBean { protected String name; protected String email; protected boolean emailVerified; - protected String password; + protected String passwordHash; + protected String passwordSalt; // Date protected Timestamp loginDate; // security @@ -89,7 +90,7 @@ public class User extends DBBean { } public String generateEmailVerificationHash() { - return Hasher.MD5("##helloWorld-->2011" + email + name + password); + return Hasher.MD5("##helloWorld-->2011" + email + name + passwordHash); } @@ -138,12 +139,17 @@ public class User extends DBBean { this.emailVerified = verified; } - public String getPassword() { - return password; + public String getPasswordHash() { + return passwordHash; } public void setPassword(String password) { - this.password = Hasher.MD5(password); + String newPasswordSalt = Hasher.SHA1(Math.random()).substring(0, 5); + String newPasswordHash = Hasher.PBKDF2(password, newPasswordSalt, 1000); + + // We wait with setting the actual fields if there is an exception + this.passwordSalt = newPasswordSalt; + this.passwordHash = newPasswordHash; } public String getCookieHash() { diff --git a/src/zall/manager/AuthenticationManager.java b/src/zall/manager/AuthenticationManager.java index d8bcd17..1343b18 100755 --- a/src/zall/manager/AuthenticationManager.java +++ b/src/zall/manager/AuthenticationManager.java @@ -35,7 +35,7 @@ public class AuthenticationManager { // Valid email? if( user != null ){ - if (user.getPassword().equals(Hasher.MD5(password))) { + if (user.getPasswordHash().equals(Hasher.MD5(password))) { setUserAuthenticated(db, user, User.AuthType.USER_INPUT, request, response); return user; } else {