Do not store salt when generating new password

2023-08-23 18:16:34 +02:00 · 2023-08-23 18:16:34 +02:00 · d5356a81c1
parent a699bf2dee
commit d5356a81c1
1 changed files with 0 additions and 4 deletions
--- a/pages/users.php
+++ b/pages/users.php
@ -17,15 +17,11 @@

    if(@$_REQUEST['action'] == 'genpw' && @$_REQUEST['userid'] != '')
    {
-        $SALT   =   md5(rand(1111, 9999));
        $NEWPW  =   generateRandomString(10);

        $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID'); 
        $statement->execute(['PasswordHash' => password_hash($NEWPW, PASSWORD_ARGON2ID), 'PrincipalID' => $_REQUEST['userid']]);

-        $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordSalt = :passwordSalt WHERE UUID = :PrincipalID'); 
-        $statement->execute(['passwordSalt' => $SALT, 'PrincipalID' => $_REQUEST['userid']]);
-
        $HTML->ReplaceSeitenInhalt("%%MESSAGE%%", '<div class="alert alert-danger" role="alert">Das Passwort für '.htmlspecialchars($RUNTIME['OPENSIM']->getUserName($_REQUEST['userid'])).' wurde geändert. Das neue Passwort ist <b>'.htmlspecialchars($NEWPW).'</b></div>'); 
    }