hash_passwrd

Arantor · January 04, 2013, 11:33:57 PM

Except you're not getting what I'm trying to tell you.

You may not need to use hash_passwrd. Depending on what you're trying to do, it may not even be POSSIBLE to use hash_passwrd. Depending on what you're trying to do, there may be a way that works far better with less effort than what you're trying to do.

Actually now that I think about it, it is probably impossible for you to use hash_passwrd to do what you're trying to do. But you think you need to use it.

Most of the people who pay me to write code for them come to me to get something solved. They come to me with how they think it has to be done, but because they don't really know what they're doing, it won't work out how they think it has to. Which is why they pay me because I've been doing this stuff for years and know it inside out.

If you tell me what I want to know, I will be able to help you. Until you tell me what I want to know, YOU CANNOT GET HELP.

hebrew878 · January 05, 2013, 12:07:53 AM

http://forum.domain.com/index.php?action=login2

post parameters
user=hello&passwrd=&hash_passwrd=ee36ff9cb80410c5763d22a1af73969088f4c63c&hidden_passwrd=hello

what is the formula used to calculate the hash_passwrd

hebrew878 · January 05, 2013, 12:45:22 AM

http://www.simplemachines.org/community/index.php?topic=428103.msg3004163 useful

Arantor · January 05, 2013, 01:09:30 AM

You don't make desktop apps in PHP though, so what are you trying to do?

emanuele · January 05, 2013, 08:17:00 AM

Quote from: hebrew878 on January 04, 2013, 10:37:00 PM
can you convert this hex_sha1(hex_sha1(doForm.user.value.php_to8bit().php_strtolower() + doForm.passwrd.value.php_to8bit()) + cur_session_id); into php code??

There is not a lot of meaning translating it to php because it would depend on the name you give to the variables. Though:

Code Select

sha1(sha1($smcFunc['strtolower']($username) + $password) + $session_id);
Note: SMF doesn't use $smcFunc['strtolower'], but only strtolower, but this breaks postgreSQL in certain conditions.
Note: in SMF 2.1 the javascript hasing will be different, it will include also a one-time token.
Note: (again) this is valid only if javascript is enabled *AND* the proper javascript is executed on the login form *before* POSTing the data to php, otherwise what vbgamer said is valid.
Note: probably there is more, but I forgot while writing.

@Arantor: certain times is just better let them play with their code...

Arantor · January 05, 2013, 08:47:23 AM

@emanuele, yes, generally I would just leave people to it but security matters are ones I won't leave alone. Especially as in this case the session id is required to make hash_passwrd work and invariably you won't *have* the session id to play with

hebrew878 · January 05, 2013, 04:43:35 PM

Quote from: Arantor on January 05, 2013, 08:47:23 AM
@emanuele, yes, generally I would just leave people to it but security matters are ones I won't leave alone. Especially as in this case the session id is required to make hash_passwrd work and invariably you won't *have* the session id to play with

session id can be taken easily

Arantor · January 05, 2013, 04:45:24 PM

Oh really, given that you actually need the session id to be able to sign in using the hash password...

Which means that to log in you have to write something to go to the forum in the first place to generate the relevant session id, parse the response for the session id... yes, it's doable but if you're having trouble with this fairly basic process, I'd suggest parsing the response is an unlikely task at this stage.

hebrew878 · January 05, 2013, 04:53:52 PM

Quote from: Arantor on January 05, 2013, 04:45:24 PM
Oh really, given that you actually need the session id to be able to sign in using the hash password...

Which means that to log in you have to write something to go to the forum in the first place to generate the relevant session id, parse the response for the session id... yes, it's doable but if you're having trouble with this fairly basic process, I'd suggest parsing the response is an unlikely task at this stage.

i was thinking that , to login to forum we must need hash_passwrd but that went wrong..while i search this forum i got an answer that was your's only

http://www.simplemachines.org/community/index.php?topic=428103.msg3007079#msg3007079
Mind you, you don't have to send it hashed, you can send it just fine as variable passwrd in the POST, unhashed if you like...

my aim was login only

but still wana know how hash_passwrd generated

Arantor · January 05, 2013, 04:58:41 PM

You see, now you understand why I was asking... you don't necessarily need hash_passwrd for logging in, under many circumstances you won't even be able to send it anyway.

In other circumstances you won't be able to use even the unhashed version for sending, which is why I've wasted a lot of time trying to find out what you're trying to do so that I could give you the right advice.

You didn't say you wanted to do login as such, you said you wanted to log in with hash_passwrd - the two are not the same. You never explained *HOW* you were trying to login, because depending on even that, using passwrd is probably wrong.

But egad, I'm fed up of trying to get enough information to actually help you because you don't want help. You want to waste a lot of time chasing down dead ends instead of trying to actually solve your problem.

Good luck.

hebrew878 · January 05, 2013, 05:02:41 PM

Quote from: emanuele on January 05, 2013, 08:17:00 AM
Quote from: hebrew878 on January 04, 2013, 10:37:00 PM
can you convert this hex_sha1(hex_sha1(doForm.user.value.php_to8bit().php_strtolower() + doForm.passwrd.value.php_to8bit()) + cur_session_id); into php code??
There is not a lot of meaning translating it to php because it would depend on the name you give to the variables. Though:
Code Select Expand
sha1(sha1($smcFunc['strtolower']($username) + $password) + $session_id);
Note: SMF doesn't use $smcFunc['strtolower'], but only strtolower, but this breaks postgreSQL in certain conditions.
Note: in SMF 2.1 the javascript hasing will be different, it will include also a one-time token.
Note: (again) this is valid only if javascript is enabled *AND* the proper javascript is executed on the login form *before* POSTing the data to php, otherwise what vbgamer said is valid.
Note: probably there is more, but I forgot while writing.

@Arantor: certain times is just better let them play with their code...

in SMF 2.1 the javascript hasing will be different, it will include also a one-time token.
hex_sha1() is not a normal php sha1() ??

hebrew878 · January 05, 2013, 05:09:12 PM

Quote from: Arantor on January 05, 2013, 04:58:41 PM
You see, now you understand why I was asking... you don't necessarily need hash_passwrd for logging in, under many circumstances you won't even be able to send it anyway.

In other circumstances you won't be able to use even the unhashed version for sending, which is why I've wasted a lot of time trying to find out what you're trying to do so that I could give you the right advice.

You didn't say you wanted to do login as such, you said you wanted to log in with hash_passwrd - the two are not the same. You never explained *HOW* you were trying to login, because depending on even that, using passwrd is probably wrong.

But egad, I'm fed up of trying to get enough information to actually help you because you don't want help. You want to waste a lot of time chasing down dead ends instead of trying to actually solve your problem.

Good luck.

i apologize

emanuele · January 05, 2013, 06:25:03 PM

Quote from: hebrew878 on January 05, 2013, 05:02:41 PM
in SMF 2.1 the javascript hasing will be different, it will include also a one-time token.
hex_sha1() is not a normal php sha1() ??

Not sure how you related the fact that 2.1 will have a different hashing method with the equivalence between sha1 and hex_sha1...

Either way.

The 2.1 hashing has nothing to do with sha1 and hex_sha1.

hex_sha1 is the function used in javascript.
sha1 is the function used in php.
The two are equivalent, but of course used in two different scripting languages.

hebrew878 · January 06, 2013, 12:24:36 AM

what abt to8bit() ??

hebrew878 · January 06, 2013, 12:56:09 AM

@Arantor plain text auth doesn't work if user login first time $:-\$

emanuele · January 06, 2013, 04:40:40 AM

Converts the string to 8-bit ASCII (I think).

Quote from: hebrew878 on January 06, 2013, 12:56:09 AM
@Arantor plain text auth doesn't work if user login first time $:-\$

It depends on your code. With SMF if it doesn't work the first time is usually a javascript issue.

hebrew878 · January 06, 2013, 09:34:08 AM

Quote from: emanuele on January 05, 2013, 06:25:03 PM
Quote from: hebrew878 on January 05, 2013, 05:02:41 PM
in SMF 2.1 the javascript hasing will be different, it will include also a one-time token.
hex_sha1() is not a normal php sha1() ??
Not sure how you related the fact that 2.1 will have a different hashing method with the equivalence between sha1 and hex_sha1...

Either way.

The 2.1 hashing has nothing to do with sha1 and hex_sha1.

hex_sha1 is the function used in javascript.
sha1 is the function used in php.
The two are equivalent, but of course used in two different scripting languages.

the one i am talking abt is smf 2.0 ,please give a solution to generate hash_passwrd in php using 3 parameters username,password,sessionid

Arantor · January 06, 2013, 10:25:20 AM

Where are you getting this session id from?

emanuele · January 06, 2013, 11:24:09 AM

https://github.com/SimpleMachines/SMF2.1/blob/master/Sources/LogInOut.php#L257

Arantor · January 06, 2013, 11:26:08 AM

The reason I won't just hand over stuff like that is because 1) I don't believe the OP understands what any of it means and 2) I'd rather stonewall until I get some answers because that's better than weakening the security of whatever crazy thing he's trying to make/break.

News:

hash_passwrd