Hello Rockstar,
Since you are using hashed password it won't be possible for you to obtain the original password on the server side, unless of course you are using a custom grown hash function which is capable of reversing the has value.
According to Wikipedia
A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest.
The ideal cryptographic hash function has four main properties:
- it is easy to compute the hash value for any given message
- it is infeasible to generate a message that has a given hash
- it is infeasible to modify a message without changing the hash
- it is infeasible to find two different messages with the same hash.
The way I typically imeplemet this functionality is explained below. You can perhaps follow the same.
- Generate some random value (Salt) approx 10-12 characters on server side and insert it in login page using a hidden field, store it in session as well.
- In login page's javascript generate a hash (HashedPass) of the password (SHA-1/SHA-2/SHA-3).
- Using the Salt generate one more hash value (CheckSum) of HashedPass
- Post UserId, HashedPass and CheckSum to server
- On the server side recompute the Checksum using Salt stored in session and the received HashedPass. Compare this value with CheckSum received, If both values are same then proceed to next step otherwise flag an error.
- Reteieve user's record from data store using the received UserId.
- Retrieve the random salt that was stored along with the original password hash. (The original password stored in the data store is also a hash value generated using a random salt and using one of the hashing algorithms mentioned eralier. I generally store salt along with the hashed password as $SALT$HASH)
- Recompute the new hash of HashedPass using the random salt retrieved in step 7 and one of the hashing algorithms mentioned eralier.
- Now compare the new hash with the password hash stored in data store, if both of these values are equal then you can safely login the user, otherwise flag an error
Regards,