Is there a good authentication/admin start site for cfwheels

124 views
Skip to first unread message

stofke

unread,
Dec 29, 2012, 10:12:10 AM12/29/12
to ColdFusion on Wheels
We all need this when we start a site a user authentication and admin
part for the site. I wonder if there is something I could use to
build upon. Why reinvent the wheel if smarter people than me already
have build something like this, right? ;)

Thanks

Tom King

unread,
Dec 29, 2012, 10:32:40 AM12/29/12
to cfwh...@googlegroups.com

kristof polleunis

unread,
Dec 29, 2012, 3:30:54 PM12/29/12
to cfwh...@googlegroups.com
Is this version recommended?  I had a look at 


That doesn't have the admin part but it seems a bit different in implementation.

CFW-usermanager seems to have a lot of functions in the functions.cfm file in the events folder which I find confusing.  Also the database has a password field and a salt but the password contains the salt code so I wonder why the salt code is stored anyway or why it is added in front of the password?

Has anyone been using these? 

Op zaterdag 29 december 2012 16:32:40 UTC+1 schreef Tom King het volgende:

Tom King

unread,
Dec 29, 2012, 4:31:29 PM12/29/12
to cfwh...@googlegroups.com
I've not looked at Russ's one, but the cfwusermanager has the key functions for bcrypt encryption for the salt+hashing bit which is worth looking at.

The point with /events/functions.cfm is that that's where one usually puts functions used across the entire wheels app.

isSignedIn() for instance, could be used in a controller or view etc.. (At least that's how I see it).

You need to store the salt as you need it to compare the 'entered', salted, password with the 'stored' salted password. It's an example of hashing, which is one way, compared to encryption, which can be either way ( that's a MAJOR simplification). I wrote a very basic outline of this here a while ago: http://www.oxalto.co.uk/2011/07/password-hashing-and-salting/ (read the comments too).

HTH
T

kristof polleunis

unread,
Dec 29, 2012, 4:51:48 PM12/29/12
to cfwh...@googlegroups.com
I like the bcrypt class to encrypt the password using a salt.

What's not clear to me is why it stores and the salt  and add it to the password.  Say the salt is 123 the password here is stored as 123.password.  So if the password already contains the salt why store the salt separately or why add the salt in front of the password. That part is not clear to me.



In your article you seem to go further by reversible encrypting the salt with a key located out of the root folder before storing it and by arbitrary redoing the hashing process a couple of thousand times.

But cfwusermanager seems to store the salt as is or maybe I'm overlooking something and seems to tack it onto the password so it's two times in the database.

Op zaterdag 29 december 2012 22:31:29 UTC+1 schreef Tom King het volgende:

Joshua Cyr

unread,
Dec 29, 2012, 5:06:56 PM12/29/12
to cfwh...@googlegroups.com
When authenticating the password sent from the form you add the unique salt to the form password and compare that result to the password stored in the DB to see if they are the same.  You don't use the salt to unencrypt. This is why the salt is stored in some way, so that you can then compare it when it comes time to authenticate.

Typically a salt is stored for each user and is different for each user.  Sometimes there is also a site wide additional salt.  

At least this is true for SHA 512. With bcrypt my understanding is that the salt is actually a part of the hash, and no need for an actual salt field.






--
You received this message because you are subscribed to the Google Groups "ColdFusion on Wheels" group.
To view this discussion on the web visit https://groups.google.com/d/msg/cfwheels/-/PG-w-FKiwwYJ.

To post to this group, send email to cfwh...@googlegroups.com.
To unsubscribe from this group, send email to cfwheels+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/cfwheels?hl=en.



--
Thanks,
Joshua Cyr


kristof polleunis

unread,
Dec 29, 2012, 8:17:08 PM12/29/12
to cfwh...@googlegroups.com
You are right I just found this explanation on BCrypt:


So there is no need for a separate salt column as the salt can be derived from the generated BCrypt password.

Op zaterdag 29 december 2012 23:06:56 UTC+1 schreef Joshua Cyr het volgende:

Andy Bellenie

unread,
Dec 30, 2012, 5:59:38 AM12/30/12
to cfwh...@googlegroups.com
I've got a plugin that automates this stuff. Need to finish the docs though.

To view this discussion on the web visit https://groups.google.com/d/msg/cfwheels/-/JI5yPJMerjIJ.

kristof polleunis

unread,
Dec 30, 2012, 5:28:44 PM12/30/12
to cfwh...@googlegroups.com
Andy you mean the hashgeneration part?  Does it support BCrypt

Op zondag 30 december 2012 11:59:38 UTC+1 schreef Andy Bellenie het volgende:

Andy Bellenie

unread,
Dec 31, 2012, 4:36:39 AM12/31/12
to cfwh...@googlegroups.com
No it uses a more straightforward hash+salt algorhythm. Bcrpypt is a bit overkill but feel free to fork it and replace the hashAndSalt() function.

To view this discussion on the web visit https://groups.google.com/d/msg/cfwheels/-/gPdzl1EHJGEJ.

Adam Chapman

unread,
Dec 31, 2012, 5:46:54 PM12/31/12
to cfwh...@googlegroups.com
+1 user-manager

Adam Chapman

unread,
Dec 31, 2012, 5:48:40 PM12/31/12
to cfwh...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages