1

I would like to ask a question about the wisdom of having two cookies. In one PHP file, the following codes are to be found:

    //dbconn establishes connection to database and is not shown here
    $salt = hash("sha512", rand().rand().rand());
    mysqli_query($dbconn, "INSERT into `members` (`membername`, `password`,
                 `salt`) VALUES ('$membername', '$password', '$salt')");
    setcookie("cookiemember", hash("sha512", $membername, 
              time() + 24*60*60, "/");
    setcookie("cookiesalt", $salt, time() + 24*60*60, "/");
    mysqli_close($dbconn)

In a second PHP file, the following lines of code are found:

     if (isset($_COOKIE['cookiemember']) &&
         isset($_COOKIE['cookiesalt'])) {
         $cookymem = mysqli_real_escape_string($dbconn,   
            $_COOKIE['cookiemember']);
         $cookysalty = mysqli_real_escape_string($dbconn,   
            $_COOKIE['cookiesalt']);
         $result = mysqli_query($dbconn, "SELECT * FROM `members` 
            where `salt` = '$cookysalty'");

What I don't understand is the purpose of the variable $salt. You take three randomly generated numbers, concatenate them, apply a secure hash algorithm to this concatenated number, and then put the output into a table called members. You then use this $salt variable as the value of a cookie but not before you escape special characters from it. Why go through all this trouble when you are already encrypting the field name membername by hashing it? Why can't the last line of the code simply read:

         $result = mysqli_query($dbconn, "SELECT * FROM `members` 
            where `membername` = '$cookymem'");
Arnold Pine
  • 55
  • 1
  • 5
  • Vladimir, thanks for the link. The link did contain a very useful answer by a user called "Approximately Linear". – Arnold Pine Mar 14 '15 at 15:37
  • I am not really sure this is an duplicate questions. To me this looks like a case of bad variable naming. $cookiysalty might not contain the SALT but the salted password. Ofc that's hard to tell without reading more code. The code also spells cookie wrong and uses "mem" where it should use member so people don't have to guess what's inside the variable. – Malte Köhrer Mar 14 '15 at 15:39
  • Agreed, this isn't a duplicate. Unless there is missing code, there is use a a variable called a salt, but there is no implementation of a salt at all – cwurtz Mar 14 '15 at 15:52

1 Answers1

1

There are big databases containing the list of encoded words. For example this site. SALTs are for making it impossible to simply enter the HASH into a textbox, and hope that its decoded. Ofcourse there are workarounds, but SALTS make attacker's job much harder, possibly forcing him to not use it. As specified in comments by Vladimir, please read this so you understand what SALT is.

Community
  • 1
  • 1
Eda190
  • 669
  • 1
  • 7
  • 20
  • Thanks for the link to the SHA2 decrypter webpage. It might be useful to play around and see whether it really does reverse an encrypted input. – Arnold Pine Mar 14 '15 at 15:44
  • I tried it with MD 5, and it found ALOT of passwords actually. I used different site tho. – Eda190 Mar 14 '15 at 15:45
  • Just an update about the website that you gave a link to: sha512.blogspot.cz. When you encrypt an input and get an output, and then immediately put that output into the decrypter, you DO get back your original input. However, if you have used ANY OTHER online SHA512 to ENCRYPT your input, and you then copy the encrypted string into sha512.blogspot.cz's decrypter, you will see a blank. In other words, I believe that this website is bogus and can only decrypt text that was encrypted ON ITS OWN encrypter by "remembering" the text that was typed into the encrypter. That's cheating. – Arnold Pine Mar 14 '15 at 20:30
  • That is possible. I was using different websites, that were legit for me. However....again....I was decrypting MD5 hashes (wanted to prove my friend wrong, that his database is not safe). For that I used [http://www.md5online.org/](http://www.md5online.org/) and [http://www.hashkiller.co.uk/md5-decrypter.aspx](http://www.hashkiller.co.uk/md5-decrypter.aspx). I believe the second website also decrypts SHA, but I ain't sure. I'm sorry I provided wrong example site, it was the first thing that came out when I Googled it. – Eda190 Mar 14 '15 at 20:34