Hi all,
I'm making a new website, which uses a forum system to handle the user logins. My previous site used phpbb, but now i'm moving over to MyBB.
I want users to be able to login via the website, but MyBB stores the password as some sort of MD5 HASH value, with some SALT value - How would I go about recreating this hash value so that I can check the user's credentials and log them in?
I've tried an MD5 hash of the user's password input, as well as other variations which include the SALT value, but none of these seem to create the same hash value.
Thanks
Mat
Check out the functions in inc/functions_user.php.
(2009-01-24, 02:31 AM)DennisTT Wrote: [ -> ]Check out the functions in inc/functions_user.php.
Hi, thanks for your reply.
I've checked the file you mentioned and i'm a little confused. It seems the salt changes each and every time someone logs in? Is this correct? Also, what's the difference between the password field and the login_key? Is the password a less secure version, whilst the login_key has added salt encryption?
Assuming the salt changes each time, and we need to know the SALT phrase in order to mash up a password allowing access, I would need to query the database on the username only, in order to get the salt? Then i'd use this salt as part of the supplied password to make my mashed up MD5 login to try and gain access? That obviously wouldn't make it any more secure at all, so that can't be it.
I'm having the forum as a separate thing (that is, i'm not just changing the templates), but I want site/forum logins to work in unison, so I don't really want to include all of the user_function.php on my pages, I think I want to just have my own login system, but need to know how to put together a valid password string (MD5'ed).
Thanks
Mat
(2009-01-24, 10:35 AM)Mat Brummitt Wrote: [ -> ]I've checked the file you mentioned and i'm a little confused. It seems the salt changes each and every time someone logs in? Is this correct?
No, the salt is largely kept static. It will automatically be generated if no salt exists.
(2009-01-24, 10:35 AM)Mat Brummitt Wrote: [ -> ]Also, what's the difference between the password field and the login_key? Is the password a less secure version, whilst the login_key has added salt encryption?
The login_key is synonymous to a user token. It basically authenticates the user without a username/password combination (ie, when they want to be automatically logged in when they visit the forum).
The password is hashed with the salt. The login_key is just a purely random sequence of characters.
(2009-01-24, 10:35 AM)Mat Brummitt Wrote: [ -> ]Assuming the salt changes each time, and we need to know the SALT phrase in order to mash up a password allowing access, I would need to query the database on the username only, in order to get the salt? Then i'd use this salt as part of the supplied password to make my mashed up MD5 login to try and gain access? That obviously wouldn't make it any more secure at all, so that can't be it.
I'm having the forum as a separate thing (that is, i'm not just changing the templates), but I want site/forum logins to work in unison, so I don't really want to include all of the user_function.php on my pages, I think I want to just have my own login system, but need to know how to put together a valid password string (MD5'ed).
My suggestion would be to copy various functions from the aforementioned file, such as
validate_password_from_username,
validate_password_from_uid,
salt_password etc, and modify them to read values from your database, if you do not want to include() MyBB files directly.
You'll probably also need to bridge user sessions across too, but for just authenticating a username/password combo, the above is all you need to do.