Can a person change the hash?

V

Vadim Stepanenko2018-03-27 00:40:25

Encryption

Vadim Stepanenko, 2018-03-27 00:40:25

Hello!
The site has a chat, and so that users do not write on behalf of someone else (the username is set directly in the page code in the script), it was decided to create a hash with a unique user number, and when sending a message on the server, compare the sent hash with the hash of the received name.
But the following question arose: the
hash is created like this: On the server, the check is as follows:
md5($user['username']);

if(data.hash == md5(data.username)){
  все ок
}else{
  все не ок
}

And accordingly, can the user change his name through the code, as well as replace the hash by generating it for a "dummy" name and send such a request to the server? Will he pass?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

S

sim3x, 2018-03-27
@sim3x

md5 - not
secure

C

CityCat4, 2018-03-27
@CityCat4

First, MD5 has long been insecure. Secondly, do you have a server that does not check what came from the user?

S

Stanislav Bodrov, 2018-03-27
@jenki

can the user change his name through the code

If there is such a possibility, then this is extremely bad.

it was decided to create a hash with a unique user number

The hash must be unique for the duration of the user's session. So more salt needs to be added. If you want an extreme option, you take a hash from the user's uid, add a salt to it, and take the hash from all this again.