News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Password auth

Started by ezycc, July 17, 2022, 01:49:33 PM

Previous topic - Next topic

ezycc

Hi

Just upgraded my forum to 2.1.2, I have a website that runs off the members database attached to the forum. Previously I could login memebers using

$pass = SHA1(strtolower($username) . $pass);

However it seems to have changed, can anyone provide any guidance on how passwords are stored now so I can adjust my code accordingly?

Arantor

Call: hash_verify_password($username, un_htmlspecialchars($password_entered_by_user), $password_hash_in_members_table)

This function is in Subs-Auth.php.

Edit: un_htmlspecialchars is only needed if the password was entered via $_POST inside SMF normal rumtime.

ezycc

Thanks Ill give it a go!

ezycc

Tested using this script, for testing purposes I have entered my username and password and copied the salt from the database, however it always returns a FALSE, cant see to get it to return a TRUE, even though the details are correct?

include_once("forums/SSI.php");
include_once("forums/Sources/Subs-Auth.php");

$user = "xx";
$pass = "xx";
$salt = "xx";

$str = hash_verify_password($user, un_htmlspecialchars($pass), $salt);

if($str){
    echo "True";
    }

Arantor

$user is the username, $pass is the password entered by the user, $salt is wrong here; the third parameter to hash_verify_password as per my previous post is the password hash from the members table, not the password salt. You have to retrieve it from the database *first* before passing it to hash_verify_password.

ezycc

Ah my mistake, its working now, thanks for your help!

Advertisement: