Now I have a post regarding a little snippet of code that I don't understand:
It's regarding tcl/ad-security.tcl's ad_assign_session_id:
[...]
# Li: so we pickup the user_id and password from the user...(from [ns_conn headers])
if { [regexp {^([0-9]+),([0-9a-fA-F]+)$} [ad_get_cookie "ad_user_login"] match user_id password] } {
# Li: here we may encrypt the password first... (Bookmark 1)
if { [ad_parameter EncryptPasswordsInDBP "" 0] } {
set password [ns_crypt $password [ad_crypt_salt]]
}
# Li: from the server we pick up the server's notion of what the user's password is
set selection [ns_db 0or1row $db "
select password
from users
where user_id = $user_id
and user_state = 'authorized'
"]
if { [empty_string_p $selection] } {
# user_id does not exist in database, or is not in state authorized
} else {
# Li: from the server
set correct_password [ns_set value $selection 0]
# Li: Here we dehex the password provided from the user (Bookmark 2)
set password_raw [sec_dehexify $password]
if { ![string compare [string toupper $correct_password] [string toupper $password_raw]] } {
set ad_sec_user_id $user_id
}
}
}
My question is.. regarding bookmark 1 and 2.. how can you encrypt something and dehex it right after? If the encryption procedure involves a hex procedure at the end that makes sense. But if you hex something, then encrypted, you need to decrypt it then dehex it. So maybe what we really mean is sec_hexify? Or what? I'm confused. Thanks for any clarification.
