troubleshooting Question

key data, how to see expiration length?

Avatar of Bobby
BobbyFlag for United States of America asked on
EncryptionPHPSecurity
9 Comments1 Solution144 ViewsLast Modified:
The following code is supposed to determine how long it has been since a password reset request was submitted. If the request has expired, disallow.

        } else if(!empty($request->get('key'))) {
          $dbAccessor = new DbAccessor();
          $new_password = $request->get('new_password');
          $rawkey = $dbAccessor->unobfuscate_id($request->get('key'));
          $keyparts = explode(":", $rawkey);
          $contact_id = $keyparts[0];
          $expiration = $keyparts[1];

          if(time() > $expiration) {
             $redirect = "/account/reset_my_password?error=key_expired";

I know it works, because I changed the > to a < in the if(time() > $expiration), and I could not reset my password.

I'm a complete newb at this, taking over for a staff member who moved away. He was our main back end web dev, and Im scrambling to fill his shoes as much as I can.

I was tasked with this because somebody ran across a link that was sent out to a real customer months ago to reset their password. We clicked the link, and it took us to the password reset page, as if it was perfectly fine to reset our password after all those months. The link should have expired.

BUT

This may have been designed so that the user doesn't get a message that it has expired, it just doesnt do what it says (like my test in reversing the <>). That would be perfectly acceptable... not graceful, but at least the password could not be reset via that link 3 months later.

So... obviously I need to figure out the value of this: $keyparts[1]; to see what time value is being specified (if any). How do I see that? Here is the unobfuscate_id function:

   public function unobfuscate_id($str) {  
      $key = "realdatastripped";
      $encrypted_str = base64_decode(str_pad(strtr($str, '-_', '+/'), strlen($str) % 4, '=', STR_PAD_RIGHT));
      $str = mcrypt_decrypt(MCRYPT_DES, $key, $encrypted_str, MCRYPT_MODE_ECB);
      $block = mcrypt_get_block_size('des', 'ecb');
      $pad = ord($str[($len = strlen($str)) - 1]);
      $unencrypted_str = substr($str, 0, strlen($str) - $pad);
      return str_replace("dm", "", $unencrypted_str);

If it helps, here is the key in one email I initiated to myself for a password request: reset_my_password?key=XPLDFLhFhu0O192aM6dmCGhW4srTDUQw
ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 1 Answer and 9 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 9 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros