Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Problem with vanillas HashMetod

Hello,
my name is Thomas and i want to integrate Vanilla Forums into Boonex Dolphin instead of Orca Forum, because its bad. The Gateway is near ready in order to release, because i have one question right now.

How can i hash my passwords, so that vanilla can recognize and use it:
My code ist like this:

$iPwID
$cphashmetod = 'Vanilla';

$vpasswort = $aNewProfile['Password']; // catch password as cleartext
Password = 'Vanilla';
$hashinsert = md5($vanillasalt.$vpasswort);
echo "$hashinsert";

Whats going wrong?
Inserts in Table GDN_User

$hashinsert in: Password
Password in: HashMethod

I hope somebody knows a little bit more an is able to help me.
Thanks in Advantage
Thomas

Comments

  • Perhaps I misunderstood the requirements, but, if Dolphin is managing the Users, then you are looking for a Single Sign On solution, such as JsConnect or ProxyConnect.

  • @businessdad said:
    Perhaps I misunderstood the requirements, but, if Dolphin is managing the Users, then you are looking for a Single Sign On solution, such as JsConnect or ProxyConnect.

  • x00x00 MVP
    edited April 2013

    business dad is correct, you should find that easier to use a connect.

    nevertheless

    md5($vanillasalt.$vpasswort);

    is comparable to django hash method vanilla has method is more complex phppass. You can put django in the HashMethod field you would seperate the parts with $

    e.g. 'md5$'.$Salt.'$'.md5($Salt.$Password);

    if you want to get a valid vanilla hash. It is like so

    $PasswordHash = new Gdn_PasswordHash();
    $Password = $PasswordHash->HashPassword($Password);
    

    grep is your friend.

  • x00x00 MVP
    edited April 2013

    btw it not recommended to use a fixed salt fro all users. This bad. Salts should be specific to the hashed password, which is why hashed passwords are often in multiple parts, which contain salt, pepper, hash algorithm, hash, etc.

    This makes for a variable results, which is more secure. vanilla's hash method takes care of this.

    grep is your friend.

  • Hi,
    Thank you everybody for the quick help and your hints. These are very helpful to me to understand the hashprocess right now.
    Yes Dolphin should manage the user, but otherwise by creation of an account, the script should be create the user also in vanilla, also password and username.

    By use of: "$passwordcatch = $aNewProfile['Password'];" i will catch the password in cleartext and with:

    $PasswordHash = new Gdn_PasswordHash();
    $PassinsertVN = $PasswordHash->HashPassword($passwordcatch);

    i will try to store the password in vanillas Usertable but i does not work, nothing will be stored. Have i forgot someting or someting to include?

    thank you
    greets
    Thomas

  • x00x00 MVP
    edited April 2013

    how are you loading the framework?

    Like we said if in doubt use of one of the SSO solutions. Look in the docs for details.

    Passing around passwords is a way to create weakness in your security.

    grep is your friend.

  • Hi and thanks, is a SSO solution really necessary? I think its necessary when a user is logged in Dolphin also loged in in Vanilla at same time. In order to avoid weakness in the application i want only hash the catched password and store it otherwise in my database. Thank you Thomas

  • Is this the right way to implement SSO? http://vanillaforums.org/docs/singlesignon

  • @thomasp said:
    Is this the right way to implement SSO? http://vanillaforums.org/docs/singlesignon

    I would definitely try it.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • SSO is about authenticating users, is saying that user is valid let them pass. The sessions are separate, but linked to the authentication. In jsConnect it is delayed till the last moment when they visit the forum and credential are checked, with ProxyConnect you can create session together. If you read the docs con see how to do that.

    grep is your friend.

Sign In or Register to comment.