Suggested Pages

Saturday, September 29, 2012

Encryption, Hashing and Session

You should not store passwords in clear in Session. Generally it's recommended to store hash password to avoid the reverse engineering.

Hashing


Registration


A common practice is to store hash password in databases and never store passwords as plain text anywhere in your application. During a registration , you provide a plain password that is used at this way:
  • A salt is added to to the plain password;
  • The new string (plain password salt) is used to generate an hash value with SHA-1 or MD5 algorithm;
  • The hash value is stored in DB.

Authentication


Authentication is a similar process of that described above. The plain password provided in the login formis used at this way:
  • A salt is added to to the plain password;
  • The new string ( plain password salt ) is used to generate an hash value with SHA-1 or MD5 algorithm;
  • The hash value is compared with the hash value stored in DB and retrieved by username.


Encryption

Encryption is different from hashing because you can decrypt the encrypted text to get the original text, instead hashing does not permit to obtain the original text from the hash value

Suggested Posts:

No comments :

Post a Comment

Suggested Pages