login php hash and salt

gps9 years ago

Hi all

Anyone can point me to work with password / hash and salt ?

What i need is insert user from a form but im not figure out how to hash and salt work ... can anyone help me ?

im using php 5.4

Best Regards

Anton Tananaev9 years ago

For hashing Traccar uses PBKDF2 with HMAC-SHA1.

I believe PHP has native implementation staring from 5.5: http://php.net/hash-pbkdf2
For older version you can use: https://defuse.ca/php-pbkdf2.htm

For hashing parameters (iterations, sizes etc) you can look at this class:
https://github.com/tananaev/traccar/blob/master/src/org/traccar/helper/Hashing.java

ivalenzuela8 years ago

Hi guys,

Here a implementation with Traccar database for login.

public function doLogin($u,$p){
        $hosteo = new Host(1);
        $this->set_conexion($hosteo->datos['host'],$hosteo->datos['user'],$hosteo->datos['pass'],$hosteo->datos['bd']);

        $consulta ='SELECT u.id as llave, u.name as nombre, u.hashedPassword as hashed,u.salt as salto,u.admin as estado FROM user u INNER JOIN users us ON us.id = u.id WHERE us.login = "'.$u.'"';
        
        $result = $this->sql_con->query($consulta);
        $dato['estado'] = false;
        if($result === false) {
            trigger_error('Ha ocurrido un error');
        }
        
        else{
            while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC)) {
              $data = $p;                
              $key = $this->hexToStr($row['salto']);
              $hashed = hash_pbkdf2("sha1",$data, $key,1000,24,true);                
              if ($this->strToHex($hashed)==$row['hashed']){
                $dato['estado'] = true;
                session_start();
                $_SESSION['loginstate'] = 1;
              }
              
            }
        }
        array_push($this->datos, $dato);

    }
    
    public function strToHex($string){
        $hex='';
        for ($i=0; $i < strlen($string); $i++){
            $hex .= dechex(ord($string[$i]));
        }
        return strtoupper($hex);
    }


    public function hexToStr($hex){
        $string='';
        for ($i=0; $i < strlen($hex)-1; $i+=2){
            $string .= chr(hexdec($hex[$i].$hex[$i+1]));
        }
        return $string;
    }

jaimzj8 years ago

Great Information and sample ivalenzuela.

Anton, If you find this right maybe it could be great idea to add this to documentation for third party integration etc with PHP.

And ivalenzuela do you have a function already you have created for creating accounts?

rjangid8 years ago

instead of custom functions 'stringToHex' and 'hexToString', one should use php inbuilt functions hex2bin and bin2hex.

andrea8 years ago

in case that someone needs to create an account in traccar users table:

$name = "the_name";
$email = "the_email";
$password = "the_password";

$string = mcrypt_create_iv(24, MCRYPT_DEV_URANDOM);
$salt = strtoupper(bin2hex($string));

$hash = hash_pbkdf2("sha1", $password, $string, 1000, 24, true); 
$hash = strtoupper(bin2hex($hash));

finally execute the following query:

INSERT INTO users (name, email, hashedpassword, salt, readonly, admin, map, language, distanceunit, speedunit, latitude, longitude, zoom) VALUES ('$name', '$email', '$hash', '$salt', 0, 0, 'osm', 'en', 'km', 'kmh', 0, 0, 0);

try to enter in traccar server!

Anton Tananaev8 years ago

Thanks for sharing the info.

imam ferianto8 years ago

Thankyou the tips worked like charm. I suggest add other fields in devices table, eq: gsm_number for sms tracking or callback command from server to devices

andrea8 years ago

In fact I use the above routine to connect a lot of info, using email field, to a wide world of information on my relational database, like maintenance records on truck, driver, renewal of insurance, all infos on GPS equipment, SIM data and so on. So when I create or delete user account on my system I do the same on traccar "users" table, it's also managed the change of password.
List but not last it's a multi company software.
Regards

andrea8 years ago

And you can login in to traccar using api from a php page:

$login = "email=".$usr_email."&amp;password=".$usr_password;
      
$url = "http://&lt;traccar_server_ip&gt;:&lt;traccar_server_port&gt;/api/session";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $login);

$content = curl_exec($ch);

// get cookies
$cookies = array();
preg_match_all('/Set-Cookie:(?&lt;cookie&gt;\s{0,}.*)$/im', $content, $cookies);

$kk = $cookies['cookie'][0];
    header("Set-Cookie: ".$kk);

And then redirect to traccar server

mtrntx8 years ago

Hello Andrea
Do you have a example to send a command with traccar api in php?

andrea8 years ago

no, only login procedure... Extracted from a PHP framework!

sicksand7 years ago

in case that someone needs to create an account in traccar users table:
...

finally execute the following query:

...

try to enter in traccar server!

how about code to login? can you share it. thanks.

Parth7 years ago

I am Facing problem in loin with PHP . Someone can help me regarding this .

andrea7 years ago

Look at the post history... pay attention that the API login save cookies to grant so the server ip/domain must be the same.