We are using a mobile xmpp client to chat with ejabberd server. During the registration, we want the following fields: JID, Password, appID to be sent to the xmpp server.
Which module should I look into to incorporate this change? I also want to store the appID in ejaberd's users table in the database. Further in our current installation we can see the password. Which module of ejabberd should I invoke to encrypt store the passwords. Also can we verify the user using the encrypted password? Any suggestion and pointers to the right direction will be of great help.
We are using a mobile xmpp client to chat with ejabberd server. During
the registration, we want the following fields: JID, Password and the
appID to be sent to the xmpp server ( ejabberd here). Which module
should I look into to incorporate this change? I also want to store
the appID in ejaberd's users table in the database.
mod_register only takes username and password during registration. If you want to store other details during registration, you would have to modify the source code of that module. Or you can store the appid and any other information in the account vcard, once the account is created and the client logins to it.
Further in our current installation we can see the password . which
module of ejabberd should I invoke to encrypt the password and store
the encrypted passwords. Also can we verify the user using the
encrypted password? Any suggestion and pointers to the right direction
will be of great help.
If you enable SCRAM in ejabberd configuration file, the passwords will be stored scrammed (that is, encrypted).
Related
Currently, I have a social media project that already has the existing users, I want to enable the chat function. I had config Ejabberd with JWT and Mysql. I tested and I realized that I don't have to register the users in order to chat, I just need to make sure my token has "JID". Is it a good approach? Or do you have any other suggestions?
You don't need to register the users to ejabberd server explicitly while using external authentication mechanism.
However, chances are that you might not be able to see the list of registered users on the admin panel when not using the default authentication mechanism.
We have a Xamarin Forms application that works both connected and offline. The application connects to an API in our MVC Web application. This application uses Microsoft.AspNetCore.Authentication and the passwords are hashed in the User table. In connected mode, we call the API and get a jwt token back with no problems. For offline mode, we clone the user table in a local SQLite database. The question is, how do we verify the password against the local hashed password in offline mode when a user is logging in?
Thanks.
take user password and do hash and then compare those hash value
ref :
https://support.microsoft.com/en-in/help/307020/how-to-compute-and-compare-hash-values-by-using-visual-c
I want to do the following
User signs up to IOS app and provides username and password
Make a server call and store password in server database
When user logs in in the future, retrieve that password and check against the password that the user entered.
How can I do this in the most secure way possible? I was thinking of encrypting the password when storing in the db. When the user logsin, use the same encryption algorithm and compare against the db encrypted password.
NEVER ever store user credentials in encrypted (reversible) form. Currently best known way for checking user credentials is slow salted hash
for what and why please read https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/
However, don’t try to invent your own algorithm for repeated hashing.
Choose one of these three well-known ones: PBKDF2, bcrypt or scrypt.
As already commented you may outsource the user authentication to some reliable service (google, fb, aws cognito, ibm appid,...)
Have you tried looking into databases? I know that Firebase has an authentication component of their database for ios development, and you might want to try to look into it or other databases. Check out firebase at: https://firebase.google.com/
As an admin, I need to set user passwords through SOAP API but I could not find a service addresses my need. The closest service to mine is SetPassword that enables setting passwords through ZimbraID. Are there any ways to set passwords through usernames? Or how can I retrieve ZimbraIDs for existing accounts?
That's the only method available. However, you can get the zimbra id using GetAccount and using username.
I am working on iPhone application which have login form to access application functionality same as website. now i want to add one button in iphone application that redirects user in to website in safari browser with successfully login.
After success login in to iPhone application, user want to check website in browser so i just need to add functionality that user can directly login in his account and redirect on particular page.
i have some basic idea for that we can do with encrypted username and password with url.
like http://xyz.com/login/username=abc&password=abc
but i know that its not secure way to pass username and password with url.
So please suggest me any other way if possible.
Any idea or alternative that how to implement this.
Thanks in advance.
There are a few ways to do it.
Any time you send password information over the Internet you want it to be encrypted over SSL. This will require an SSL Certificate for your web server though and it's not always possible.
You can also encrypt the username and password yourself in a way that only your web server will know how to decrypt. So the username "foo" could be turned into "oof" and the password "bar" could be turned into "rab". That way if someone intercepted your requests, they couldn't know what the username and password were without knowing how you changed them.
Why not pass the session id?
Here's what I mean: When you log in to a web site, typically you're assigned (or already have) a "session cookie" which essentially tells the server "This visitor has session ID 'XYZ'", and allows it to retrieve the server side information stored for that user (like who they are, that they authenticated, or whatever else you store in the session store.
One of the easier ways of moving to/from applications is to make sure that all logins generate a server side session, and provide a script which will overwrite the user's session cookie and redirect them to the proper page.
session_restore.php?sessionId=12345&redirect=HOME
The doubters here will argue that providing such a script is tenement to a security breach, but I would argue that all of this information is stored client side already, and can be accomplished without the server's intervention anyway. (session hijacking plugins for popular web sites exist for firefox that will grab session IDs from wireless networks - no technical skill needed)
Doing it this way just makes the process friendlier to the user, and if your site provides SSH access (which you really should be doing anyway) then the risk is very minimal.