UserInterface in PlainText

[babour]

Hi,

I just looked around and I saw that the UserInterface of FOSUserBundle must be in plaintext. How does it impact the security if we do that and also use the regular login method (i.e using the form)?

Thanks,

[sdiaz]

This is an issue of WSSE and Symfony, as you may deactivate the SALT on password storage. Without the salt you cannot create a Token on client side.

[babour]

This is a major issue, how can you secure the login with any salt or encryption?

[sdiaz]

You can secure and remove the salt from symfony2. When you exchange the WSSE token, the password is passed hardly encrypted in the generated token, so the salt is not necessary as a common base64 http request.

[babour]

I am not sure to undersant, could you be more specific?

If you remove the salt and let the encryption it should work? Is there something else to change to make it work?

If I let the salt and the encryption, then what happen?

[bassim]

I'm also anxious to hear a more specific elaboration on this issue!

[sdiaz]

In real projects using WSSE, what I do is to return the user object on POST user create, so the client app get the Salt. The other thing is to retrieve the salt from a single service (/user//salt) if the user is doing login from a client without this data.

There is also a service that generate a token based on a username/password.

The project right now (after the sf2.6 update) will check the salt and use strong encryption for passwords.

[sdiaz]

You can also check how it's done in OROPlatform, they use an additional token to use instead of passwd/Salt combination in the firewall