Verify BCrypt Hash password when Login

Question

I am using net beans IDE to crate my Login form and the servlet. i used BCrypt hashing method to secure the password when it's storing in the database and it was successful. but when I going to login it always says "Invalid Credentials"

how can i solve this

here is my CompanyLoging.jsp

<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html lang="en">
<head>
</head>
<body style="background-color: #666666;">



<%
    Cookie[] cookies=request.getCookies();
    String email = "", password = "",rememberVal="";
    if (cookies != null) {
         for (Cookie cookie : cookies) {
           if(cookie.getName().equals("cookuser")) {
             email = cookie.getValue();
           }
           if(cookie.getName().equals("cookpass")){
             password = cookie.getValue();
           }
           if(cookie.getName().equals("cookrem")){
             rememberVal = cookie.getValue();
           }
        }
    }
%>

<div class="limiter">
    <div class="container-login100">
        <div class="wrap-login100">
                        <form class="login100-form validate-form" action="CompanyLogin" method="post">
                <span class="login100-form-title p-b-43">
                    Login to continue
                </span>


                <div class="wrap-input100 validate-input" data-validate = "Valid email is required: ex@abc.xyz">
                                        <input class="input100" type="text" name="email" >
                    <span class="focus-input100"></span>
                    <span class="label-input100">Email</span>
                </div>


                <div class="wrap-input100 validate-input" data-validate="Password is required">
                    <input class="input100" type="password" name="pass" autocomplete="off">
                    <span class="focus-input100"></span>
                    <span class="label-input100">Password</span>
                </div>

                <div class="flex-sb-m w-full p-t-3 p-b-32">
                    <div class="contact100-form-checkbox">
                                                <label>Remember me?</label> 
                                                <input type="checkbox" name="remember_me" value="1" <%="1".equals(rememberVal.trim()) %>>
                    </div>

                    <div>
                        <a href="#" class="txt1">
                            Forgot Password?
                        </a>
                    </div>
                </div>


                <div class="container-login100-form-btn">
                    <button class="login100-form-btn">
                        Login
                    </button>
                </div>

                <div class="text-center p-t-46 p-b-20">
                    <span class="login100-form-btn2">
                                                or <a href="CompanyReg.jsp">sign up</a> 
                    </span>
                </div>


            </form>

            <div class="login100-more" style="background-image: url('resources/Company/CompanyLogin/images/bg-01.jpg');">
            </div>
        </div>
    </div>
</div>
</body>
</html>

here is my CompanyLog.java

protected void doPost(HttpServletRequest request, HttpServletResponse response)
        throws ServletException, IOException {
    String email = request.getParameter("email");
    String password = request.getParameter("pass");
    String hashPass = BCrypt.hashpw(password, BCrypt.gensalt(12));

    try
    {
        connection = Connector.ConnectDb();
        PreparedStatement pst = connection.prepareStatement("SELECT * FROM Company WHERE Email= '"+email+"' AND Password='"+hashPass+"'");

        ResultSet rs = pst.executeQuery();
        if (rs.next())
        {
            if(request.getParameter("remember_me") != null)
            {
                String remember = request.getParameter("remember_me");
                Cookie cemail = new Cookie("cookuser", email.trim());
                Cookie cPassword = new Cookie("cookpass", password.trim());
                Cookie cRemember = new Cookie("cookrem", remember.trim());

                cemail.setMaxAge(60 * 60 * 24 * 15);//15 days
                cPassword.setMaxAge(60 * 60 * 24 * 15);
                cRemember.setMaxAge(60 * 60 * 24 * 15);

                response.addCookie(cemail);
                response.addCookie(cPassword);
                response.addCookie(cRemember);

            }

            HttpSession httpSession = request.getSession();
            httpSession.setAttribute("sessuser", email.trim());
            RequestDispatcher requestDispatcher = request.getRequestDispatcher("CompanyDashboard.jsp");
            requestDispatcher.forward(request, response);
        }

        else
        {
            PrintWriter out=response.getWriter();
            out.println("<script type=\"text/javascript\">");
            out.println("alert('Invalid Credentials');");
            out.println("location='CompanyLogin.jsp';");
            out.println("</script>");
        }
    }

    catch (IOException | SQLException | ServletException e)
    {
        PrintWriter out=response.getWriter();
        out.println("Error : " + e);
    }
}

this is the way my database looks like

Topaco · Accepted Answer · 2019-03-14T18:27:38.510

You don't have posted the registration-part of your application, but I suspect the issue is caused by the following line in your login-part:

String hashPass = BCrypt.hashpw(password, BCrypt.gensalt(12));

which creates the password-hash for a new salt. Of course, that doesn't match the password-hash created in your registration-part (and stored in the Password-field of your DB) since the salts differ even if the passwords match. Thus, instead of creating a new salt you have to use the salt already stored in your DB:

String hashPass = BCrypt.hashpw(password, storedSalt);

In principle, the salt can be reconstructed from the stored BCrypt-hash (if you are interested in this, the format of the BCrypt-hash is in detail explained at How can bcrypt have built-in salts? and here).

However, there is an easier way (which is also the intended way): You can use the BCrypt#checkpw-method:

boolean isAuthenticated = BCrypt.checkpw(candidatePassword, passwordHash);

Here, candidatePassword is the password to check. passwordHash is the BCrypt-hash (stored in the Password-field of your DB). If the passwords match the method returns true.

If you use this approach you have to adapt your database-access accordingly, e.g. something like (not yet tested!):

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    String email = request.getParameter("email");
    String password = request.getParameter("pass");

    try {
        connection = Connector.ConnectDb();
        PreparedStatement pst = connection.prepareStatement("SELECT * FROM Company WHERE Email= '"+email+"'");

        ResultSet rs = pst.executeQuery();
        while (rs.next()) {
            if (BCrypt.checkpw(password, rs.getString("Password"))) {
                ...

Verify BCrypt Hash password when Login

1 Answers1