Forum OpenACS Q&A: Response to Documentations that don't make sense

Posted by Li-fan Chen on

Now I have a post regarding a little snippet of code that I don't understand:

It's regarding tcl/ad-security.tcl's ad_assign_session_id:


# Li: so we pickup the user_id and password from the user...(from [ns_conn headers])
if { [regexp {^([0-9]+),([0-9a-fA-F]+)$} [ad_get_cookie "ad_user_login"] match user_id password] } {
    # Li: here we may encrypt the password first... (Bookmark 1)
    if { [ad_parameter EncryptPasswordsInDBP "" 0] } {
        set password [ns_crypt $password [ad_crypt_salt]]

    # Li: from the server we pick up the server's notion of what the user's password is
    set selection [ns_db 0or1row $db "
    select password
    from users
    where user_id = $user_id
    and user_state = 'authorized'

    if { [empty_string_p $selection] } {
        # user_id does not exist in database, or is not in state authorized

    } else {
        # Li: from the server
        set correct_password [ns_set value $selection 0]

        # Li: Here we dehex the password provided from the user (Bookmark 2)
        set password_raw [sec_dehexify $password]
        if { ![string compare [string toupper $correct_password] [string toupper $password_raw]] } {
            set ad_sec_user_id $user_id

My question is.. regarding bookmark 1 and 2.. how can you encrypt something and dehex it right after? If the encryption procedure involves a hex procedure at the end that makes sense. But if you hex something, then encrypted, you need to decrypt it then dehex it. So maybe what we really mean is sec_hexify? Or what? I'm confused. Thanks for any clarification.