Is it possible to compare two cryptDocs-ed strings and see if they match?
A user logs in, a session is created storing the user's ID and its corresponding crypt-ed password hash. In the background a check keeps running to see if the session (read, password) is still valid.
So technically I want to compare the crypt-ed password in the database with the crypted password in the session. Is this possible?
EDIT:
Should've said I was using the following method to crypt a password;
function better_crypt($input, $rounds = 7)
{
$salt = "";
$salt_chars = array_merge(range('A','Z'), range('a','z'), range(0,9));
for($i=0; $i < 22; $i++) {
$salt .= $salt_chars[array_rand($salt_chars)];
}
return crypt($input, sprintf('$2a$%02d$', $rounds) . $salt);
}
Just check the PHP Manual on crypt. The example clearly states how you can validate the password (so how to compare).
<?php
$hashed_password = crypt('mypassword'); // let the salt be automatically generated
/* You should pass the entire results of crypt() as the salt for comparing a
password, to avoid problems when different hashing algorithms are used. (As
it says above, standard DES-based password hashing uses a 2-character salt,
but MD5-based hashing uses 12.) */
if (crypt($user_input, $hashed_password) == $hashed_password) {
echo "Password verified!";
}
?>
You can (of course) compare two hashed passwords directly (as they are both strings), but they are just not guaranteed to be equal.
Just be careful that crypt may not be "very" secure. Read more at Secure hash and salt for PHP passwords and see the PHP manual entry about password hashing: http://php.net/faq.passwords - that should get you started.