How to check if the user and password works without making a connection to a database

views:

334

answers:

How to check if the user and password works without making a connection to a database

How do I check if a user/password pair works without actually making a connection to the database? The DBMS in question is MySQL.

That was my original question. Since most people get this question wrong, then I should rephrase it as: How do I check if a MySQL username/password is valid, without connecting to MySQL as that user? (thanks to derobert)

I actually found a solution, check my answer below.

If the username and password are stored in the database, then there's obviously no other way to check them other than to connect first.

The best you could do is perhaps only connect to the DB when they log in. Once they're authenticated, you could store some form of session information on disk, but it's not a great solution.

nickf 2008-12-19 04:37:22

In short - not posssible if the userid/password are stored in the database.

Authentication basically means that you compare the response to a challenge with known values. If you do not have the values to compare with , you cannot authenticate.

Learning 2008-12-19 04:48:55

+2 A:

Can I ask why you want to check the username and password without connecting?

keith 2008-12-19 05:14:39

One possible solution would be to devise some sort of scheme where the username/password are an encryption/decryption key pair. Obviously, this would be more feasible in an assigned username world, but such a policy would allow you not to hit the database if that is the primary objective.

cdeszaq 2008-12-19 05:14:55

+1 A:

I think this question is open to interpretation. Most people will jump in and say "You can't.", but if what you are actually asking is "How do I use MySQL to authenticate a user but not actually use the database?" then that's a whole different ball game. Take a look at mod_auth_mysql, an Apache module which does exactly that. If we had more details on what exactly you were trying to do, folks might be more forthcoming.

ninesided 2008-12-19 05:18:58

This seems to make a *lot* more sense than the literalist approach. Hopefully the OP will clarify.

Chris Farmer 2008-12-19 05:25:43

+4 A:

If you want to check if a MySQL username/password is valid, without connecting to MySQL as that user, then you should take a look at the the users table in the mysql database.

But I'd recommend not doing this; that is really an internal MySQL implementation detail, and you really shouldn't depend on it. (e.g., what if MySQL gets LDAP auth someday?)

derobert 2008-12-19 05:38:21

+1 A:

Login as someone who has access to "mysql" database (schema), and do: SELECT COUNT(*) FROM MYSQL.USER WHERE USERNAME=? AND PASSWORD=PASSWORD(?)

If the count > 0 then the username/password is correct.

Rudi Adianto 2008-12-19 07:56:15

Exposing the password hashes is a severe security issue. The hash used by mysql is subject to dictionary attacks. Any attacker that finds the account to query mysql.user can grab the password hashes and spend all the time they want brute forcing them until they're cracked.

nicerobot 2008-12-19 08:17:48

Plus, as derobert points out - this method uses MySQL implementation details - you're better off treating these as a black box. I don't understand the requirement to not connect to the DB as that user.

slim 2008-12-19 08:40:51

Not to mention you've ignored any host restrictions that were set in MySQL.

derobert 2008-12-20 10:27:20

ansaurus

tags:

views:

answers:

How to check if the user and password works without making a connection to a database

related questions