- Translating WaypointHR
- The WaypointHR Database
- User authentication and security
User authentication and security
The user authentication process of WaypointHR is designed to support rapid yet secure authentication. User passwords are stored in an encrypted format, using the most secure algorithm available to your installation. The process is designed to protect your users, and your data.
The authentication process
The WaypointHR database includes a user table with a username column and a pointer to an employee record. The user's password is stored in a separate crypt_x table, depending on the encryption algorithm used. (This allows both the user and the various crypt tables to be defined with non-variables length rows, ensuring highly efficient database lookups and indexing.)
Once authenticated for a session, WaypointHR creates an entry in the session table - a MySQL Memory table. This allows subsequent requests within the session to be authenticated as efficiently as possible whilst maintaining the necessary security. (Again, the session table uses fixed length rows to ensure efficient row lookups.)
Session information is stored client-side with hashed (HMAC) cookies (SHA-256 if available to your server, otherwise SHA-1 as a fallback). The cookies are time limited to further ensure resilience. The session information retained in cookies does not include a user's password, and can therefore not be used after the expiration period.
The encryption agorithms
Where available, WaypointHR will use the Blowfish alogrithm for password encryption. This provides a robust method of securing password data. Blowfish does however have some requirements not available to all PHP installations. If your server is not configured to support Blowfish, Extended DES will be used. If this option is unavailable, a hardened implementation of MD5 hashing with variable iteration counts is used.
All passwords are salted to further enhance resilience. If you are running on a Linux server, /dev/urandom will be used as a random seed if available, otherwise a hash of the microtime and process ID will be used.
Any comments or suggestions?
If you have any ideas for improving this page, please post your feedback in our community support forums.
Need additional support?
You can post your question in our forums, or please contact us for professional support and assistance.