/** * Generates a computationally-expensive password hash using a password, salt, and optionally a number of iterations to run the encryption over. The function will also make use of salts stored in config.php to prevent bruteforcing of passwords in the case of a database leak. * @internal Sha256 is primarily used for portability. Unlike other algorithms, it is possible to encode it with native PHP. * * @param string $password - The password. * @param string $salt - The salt to use. This salt is stored in the database. * @param string $privateSaltNum - The private salt to use. This salt is referrenced in the database, but stored on the fileserver. * @return void - true on success, false on failure * @author Joseph Todd Parsons <*****@*****.**> */ function fim_generatePasswordSha256($password, $salt, $privateSaltNum, $hashRounds = 5000) { global $salts; for ($i = 0; $i < $hashRounds; $i++) { $password = fim_sha256($password . $salt . $salts[$privateSaltNum]); } return $password; }
/** * Creates a new session identifier that is highly random (so high that bruteforce would be virtually impossible), encrypted based on config salts (to reduce any chance of being able to guess the randomizer). * * @global array $salts - Key-value pairs used for encryption. * @return string - The generated session hash * @author Joseph Todd Parsons <*****@*****.**> */ function fim_generateSession() { global $salts; if (count($salts) > 0) { // Check to see if any salts exist. $salt = end($salts); // If so, get the last entry. } else { $salt = mt_rand(1, 1000000000); // If not, we will generate a second random integer, hopefully reducing any chance of guessing. } $rand = mt_rand(1, 1000000000); // Generate a random integer that will be used to prevent guessing. $hash = str_replace('.', '', uniqid('', true)) . fim_sha256(fim_sha256($rand) . $salt); // Create a sha256 hash of the random value, then hash that with the added user salt. Append this to $hash and the possibility of strategically guessing the sessionhash (which is, in truth, by far the lowest risk from the get-go) becomes nonexistent. return $hash; // Return the generated session hash. }