Hash-based authentication
Prev Chapter 6. Authentication module Next

Hash-based authentication

Sometimes you might need to authenticate against hash representations of the individual's credentials. For example, you might want to store the credentials in the cookies of the browser so that authentication can be performed automatically without requiring the individual's input.

Sending the identifier in clear is not a concern. However, sending the password as it is stored directly in the database is more dangerous. An attacker could retrieve it and eventually guess the password (the easiness of this operation depends both on the password and on the hash algorithm). To prevent this, we first concatenate the MAGIC_STRING constant to the password and then we hash it. This effectively helps preventing an attacker from retrieving the password by breaking the encryption. This process is known as salting.

The hash method can be the same or a different method than the one used to store the password in the database.

All authentication drivers provides two methods for this purpose: hash and authenticateHash. The following code demonstrate the hashing of the password and the authentication using this hashed password. 

<?php

// Our data from previous examples
$aTest = array(
	'identifier'	=> 'test@example.org',
	'password'		=> 'mypassword42',
);

// This is how you can generate a hash
$aTest['password'] = $oAuth->hash($aTest['password']);

try {
	// And this is how you check if it's valid
	$aResult = $oAuth->authenticateHash($aTest);
	// Authentication succeeded
} catch (AuthenticationException $e) {
	// Authentication failed
}

Note that we generate a hash based on the password as stored inside the authentication server. This means that a treatment may have already been applied to it. By hashing it again with a salt, we ensure that the original hash and the original password cannot be guessed.

You cannot generate a hash based on the clear-text password, unless you store it in clear-text in the authentication server, which is strongly discouraged.

The default treatment applied when hashing is sha1. This, too, can be changed by specifying the hash_treatment parameter to the constructor.

Prev Up Next
LDAP driver Home Chapter 7. Caching module