Hashing passwords in CF Wheels

[Mohamad El-Husseini]

Does CF on Wheels provide a way to hash passwords with salt? Does
anyone have a handy example?

Thanks!

[raulriera]

Not really, but all you need to do is create an beforeCreate callback
in your model and hash that password with whatever encrypt method of
your choice in ColdFusion.

[Russ Johnson]

Wheels doesnt have this built in but here is an example in the wheels template I did a while back...

http://github.com/russjohnson/wheels_application_template/blob/master/models/User.cfc

This should be improved now in that example as I have built a much stronger hash method in my current apps but I havent had time to update the template.

You can also checkout the Sessions controller in that same repo for an example of authentication using the hash

- Russ

> --
> You received this message because you are subscribed to the Google Groups "ColdFusion on Wheels" group.
> To post to this group, send email to cfwh...@googlegroups.com.
> To unsubscribe from this group, send email to cfwheels+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/cfwheels?hl=en.
>

[Mohamad El-Husseini]

I think I'm missing something here...

1. Validate the password and hash it.
2. Generate a random key and hash it (can I use a rand function for
this?)
3. Save password hash to "password" field, and save the random key
hash to "salt" field

But then how do we compare it when a person tried to login? Don't we
have to decrypt the salt? It's the only way to validate a login is if
we know what the random key is? Doesn't this defeat the whole purpose?

On Aug 25, 12:02 am, Russ Johnson <russ.cfco...@gmail.com> wrote:
> Wheels doesnt have this built in but here is an example in the wheels template I did a while back...
>

> http://github.com/russjohnson/wheels_application_template/blob/master...

[raulriera]

Do you want to know the password? You just need to hash() the incoming
password attempt from the user with the one stored in the DB

[John C. Bland II]

I have password hashing in the Cookbook. I'll post the code in a few days but here's a portion of the user model. Hope it helps.

<cffunction access="private" name="$beforeValidationOnCreate" hint="Callback to process the model before validation on create">

<!--- set a default password if the user didn't select one --->

<cfif NOT isDefined("this.password")>

<cfset this.password = getUniqueValue() />

</cfif>

</cffunction>

<cffunction access="private" name="$beforeCreate" hint="Callback to process the model before creating an entry">

<cfset $saltPassword() />

</cffunction>

<cffunction access="private" name="$beforeUpdate" hint="Callback to process the model before updating an entry">

<!--- if the password has changed, salt it --->

<cfif hasChanged("password")>

<cfset $saltPassword() />

</cfif>

</cffunction>

<cffunction access="private" name="$saltPassword" hint="Takes the stored password and salts it then updates the password.">

<cfset this.passwordsalt = getUniqueValue() />

<cfset this.password = $getPassswordHash(this.password, this.passwordsalt) />

</cffunction>

<cffunction access="public" name="$getPassswordHash" hint="Hashes the password with a salt">

<cfargument name="pw" type="string" required="true" hint="Password to hash" />

<cfargument name="pwsalt" type="string" required="true" hint="Salt to use with pw in hash" />

<cfset arguments.pw = hash(arguments.pw & arguments.pwsalt, 'SHA-512') />

<cfloop from="1" to="1025" index="i">

<cfset arguments.pw = hash(arguments.pw & arguments.pwsalt, 'SHA-512') />

</cfloop>

<cfreturn arguments.pw />

</cffunction>

<cffunction access="private" name="getUniqueValue" hint="Gets a unique value for passwords and salts">

<cfreturn mid(CreateUUID(), 1, 7) />

</cffunction>

<!--- PUBLIC METHODS --->

<cffunction access="public" name="updatePassword" returntype="boolean" hint="Updates the users password; note: model.password must be set first">

<cfset var args = structNew() />

<cfset $saltPassword() />

<cfset args.password = this.password />

<cfset args.passwordsalt = this.passwordsalt />

<cfreturn this.update(properties=args) />

</cffunction>

<cffunction access="public" name="authenticate" returntype="boolean" hint="Authenticates a users credentials">

<cfargument name="pw" type="string" required="true" hint="Password" />

<cfif NOT isDefined("this.password") OR NOT isDefined("this.passwordsalt")>

<cfreturn false />

<cfelse>

<cfreturn NOT compare($getPassswordHash(arguments.pw, this.passwordsalt), this.password) />

</cfif>

</cffunction>

<cffunction access="public" name="resetPassword" returntype="Struct" hint="Resets a users password and returns a struct with the new password [key: password] and update result [key: success]">

<cfset var result = structNew() /> 

<cfset var props = structNew() />

<cfset props.ispasswordreset = "1" />

<cfset props.password = generatePassword() />

<cfset setProperties(props) />

<cfset result.password = props.password />

<cfset result.success = update() />

<cfreturn result />

</cffunction>

---
John C. Bland II
http://www.johncblandii.com
http://www.johnandseason.com
http://www.twitter.com/johncblandii
---
Suggested sites:
http://www.lifthimhigh.com - "Christian Products for Those Bold Enough to Wear Them"
http://www.sportsmatchmaker.com - "What are you doing today?"

[kwbarrett]

I just did this today. In my People.cfc model, I added a
beforeSave("encryptPassword") to my init() method along with my
validations. Then in encryptPassword() method, I added something like
<cfset user.password=hash("#params.user.password#", "MD5")/>. After
that my user.save() executes and password is encrypted. Pretty simple
actually.

On Aug 24, 10:42 pm, Mohamad El-Husseini <abitdo...@hotmail.com>
wrote:

[Mohamad El-Husseini]

Thanks gusy. It seems easy enough, but I will put this on the back
burner until I finish other features in the site!