autologin with md5 password

davidsky · **autologin with md5 password -** 14-09-2007, 09:14 AM

I have seen that is possible to do an autologin link with user password in clear!

There's a way to do it passing the password with md5 "encoding" ?

Thanks in advance.

Best regards,
David

craigbrass · 14-09-2007, 10:05 AM

No, that isn't possible.

It wouldn't be advisable to implement it either as it would leave your system wide open.

**Jamie Edwards** · 10:37 AM

If you could log into the system using a MD5 hash of a password, this is no different than logging in with the plain-string password.

Quote:

Originally Posted by craigbrass

No, that isn't possible.

It wouldn't be advisable to implement it either as it would leave your system wide open.

What do you mean by wide open?

craigbrass · 14-09-2007, 10:25 AM

Well you could login by just knowing the MD5 version of the password. Not a good idea.

**Jamie Edwards** · 14-09-2007, 10:27 AM

There is no difference in comparison to how the system currently works.

craigbrass · 14-09-2007, 10:28 AM

Maybe but if Kayako implement it, there should be an option in the settings area to enable and disable it.

**Jamie Edwards** · 14-09-2007, 10:35 AM

It won't become an option, I just wanted to make clear the suggestion it would not in some way "leave the system wide open".

craigbrass · 14-09-2007, 10:38 AM

Ah right, ok.

davidsky · 14-09-2007, 11:03 AM

no wait I will pass email address and md5-password...

this is just can be done with email address and password in clear!

**Jamie Edwards** · 14-09-2007, 11:07 AM

Yes but if the user can log in with the MD5 of the password, then this MD5 sum will just act like any other password - defeating the object of MD5 hashing the password at all.

It is little different to generating a random password for your users.

davidsky · 14-09-2007, 12:15 PM

I can't understand.

this kind of links works:

https://supportsuite.myhost.com/inde...=core&_a=login

this doesn't:

https://supportsuite.myhost.com/inde...=core&_a=login

Where's the problem ?

**Jamie Edwards** · 14-09-2007, 12:32 PM

Because the problems associated with having clear passwords sent to your e-mail address is that anyone can read and use the password.

This will be the same with the MD5 hash - anyone can read the password in the e-mail and then use it.

Or, are you aiming to solve something else with your idea?/

davidsky · 14-09-2007, 01:03 PM

I need this link in a reserved area (password protected) under an external application. For many reasons I can't use a loginshare to do login into my application. So I want to send to a page under https://supportsuite.myhost.com email-address and md5-password stored in my app, check if this user already exists with these details and then take the necessary action (login the user or register them).

Meanwhile I have done some other tests and I have reached a solution (using a page under the same domain that set the right cookies used by supportsuite and simulate a post) but there's a bug in supportsuite

1. If I try to login with a password in clear using this link:
https://supportsuite.myhost.com/inde...=core&_a=login
it WORKS both with a cookie and without cookies ALWAYS

2. If I try to login with an md5-password using this link:
https://supportsuite.myhost.com/inde...=core&_a=login
it DOESN'T WORK both with and without cookies

3. If I try to login from an external page using POST with a password in clear
it WORKS both with and without cookies ALWAYS

4. If I try to login from an external page using POST with md5-password
it DOESN'T WORKS without cookies
it WORKS ONLY THE FIRST TIME with cookie
it DOESN'T WORK AFTER THE FIRST TIME with cookie

This happens because when you check the "remember me" checkbox, supportsuite sets two cookies like this:

Name SWIFT_loginemail
Value email%email.com
Host supportsuite.myhost.com
Path /
Secure No
Expires Fri, 12 Sep 2008 11:37:41 GMT+

Name SWIFT_loginpassword
Value md5-password
Host supportsuite.myhost.com
Path /
Secure No
Expires Fri, 12 Sep 2008 11:37:41 GMT

now if you close the browser, reopen it and go to https://supportsuite.myhost.com you are not logged in but you find your data in the login box and the password is the md5 version (supportsuite takes it from the cookie) and if you press login you're obviously logged in.

BUT

if you see the value stored in the cookie you will see that the md5-password value is changed (supportsuite reapplies an md5 to the value again) so from the second time you will not be able to login from data stored in the cookie.

**Jamie Edwards** · 14-09-2007, 01:37 PM

Hi David,

This is not a bug - you are not supposed to be able to login directly with the MD5 password except via a cookie.

davidsky · 14-09-2007, 01:47 PM

uh ?

Maybe you doesn't have understand where's the bug is

if you check remember me the value of this cookie

Name SWIFT_loginpassword
Value md5-password
Host supportsuite.myhost.com
Path /
Secure No
Expires Fri, 12 Sep 2008 11:37:41 GMT

is written everytime you do a login and everytime the value is re-md5 so the second time the value is wrong

first-time:
173199a8c2f01255b35a23e5fac27695
md5([your-password])

second-time:
62c3454cb82cf0f116bd35da82679a56
md5('173199a8c2f01255b35a23e5fac27695')

and so on...

give a try and you will see...

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Invalid Username or Password with AD	slarson	SupportSuite, eSupport and LiveResponse	15	13-05-2008 08:59 AM
UserName or Password is incorrect	NC Software	SupportSuite, eSupport and LiveResponse	0	01-08-2007 02:50 PM
md5 and cleart txt passwords ?	graziano68	SupportSuite, eSupport and LiveResponse	2	10-10-2006 08:25 PM

davidsky Offline New Member Posts: 9 Join Date: Sep 2007	autologin with md5 password - 14-09-2007, 09:14 AM I have seen that is possible to do an autologin link with user password in clear! There's a way to do it passing the password with md5 "encoding" ? Thanks in advance. Best regards, David

craigbrass Offline Senior Member Posts: 5,596 Join Date: Jun 2005 Location: Cumbria, UK	14-09-2007, 10:05 AM No, that isn't possible. It wouldn't be advisable to implement it either as it would leave your system wide open. Craig Brass - Kayako Forum Squatter (Note: I am NOT a staff member) Icon Headquarters - Its Elixir - Web2Messenger

craigbrass Offline Senior Member Posts: 5,596 Join Date: Jun 2005 Location: Cumbria, UK	14-09-2007, 10:25 AM Well you could login by just knowing the MD5 version of the password. Not a good idea. Craig Brass - Kayako Forum Squatter (Note: I am NOT a staff member) Icon Headquarters - Its Elixir - Web2Messenger

craigbrass Offline Senior Member Posts: 5,596 Join Date: Jun 2005 Location: Cumbria, UK	14-09-2007, 10:28 AM Maybe but if Kayako implement it, there should be an option in the settings area to enable and disable it. Craig Brass - Kayako Forum Squatter (Note: I am NOT a staff member) Icon Headquarters - Its Elixir - Web2Messenger

craigbrass Offline Senior Member Posts: 5,596 Join Date: Jun 2005 Location: Cumbria, UK	14-09-2007, 10:38 AM Ah right, ok. Craig Brass - Kayako Forum Squatter (Note: I am NOT a staff member) Icon Headquarters - Its Elixir - Web2Messenger

davidsky Offline New Member Posts: 9 Join Date: Sep 2007	14-09-2007, 11:03 AM no wait I will pass email address and md5-password... this is just can be done with email address and password in clear!

davidsky Offline New Member Posts: 9 Join Date: Sep 2007	14-09-2007, 12:15 PM I can't understand. this kind of links works: https://supportsuite.myhost.com/inde...=core&_a=login this doesn't: https://supportsuite.myhost.com/inde...=core&_a=login Where's the problem ?