Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

writing my own sign-up form

hi,

I need to know what hashing is used in hashing the password from the signup form. Presently i'm using vanillas signup but its not playing well because ive got it in an iframe which i cant break out of to redirect after the sign in process. So, having lost a day messing with it i reckon i'd be better off doing it my own way.

The form itself poses no problem - i use my own honeypot and will only need username, email and password. I can see from the DB that the password is hashed (md5) i suspect, but it also looks like its using a 'salt' - Does anyone know the exact algorithm - for the password hash??. I can deal with the other DB fields in the user table.

thanks

Comments

  • this has been discussed I believe did you try searching the forum. I don't recallenought to give you an answer - but I am sure the hashing function is in the core if you search through the source code for things like salt etc.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • hgtonighthgtonight ∞ · New Moderator

    Welcome to the community!

    What version of Vanilla are you running?

    You are looking for /library/core/class.passwordhash.php and /library/vendors/phpass/PasswordHash.php for all things related to password hashes.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • hi,

    @peregrine, @hgtonight, @vrijvlinder :

    Thanks for your direction guys - got that working now... phew... had to leave it for 24 hours to give my head a rest!!

    Just wondered if anyone knows if i can use any, random, 12 char alpha-numeric string for the transientkey to enter into the user table. when creating the user record after sign-in. If its a new user then the 'transientkey' wont exist at that point - any transientkey i create at this point will be used thereafter for this user...right?? Or is it created from some other user data or the sessionID??

    @Peregrine:
    i see you asked about the 'transientkey' in a thread last year and didnt get much response -
    This forum thread:

    http://vanillaforums.org/discussion/17498/sample-code

    discusses it but im still non the wiser whether to make a call to the api mentioned here since i'm actually creating the user record for the first time so the ''transientkey' key can be anything i make it as long as its 'Vanilla-safe' 12 chars (uppercase) - if you know what i mean??

    Any thoughts??

  • i see you asked about the 'transientkey' in a thread last year and didnt get much response -

    thanks for the followup @vanejilla

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

Sign In or Register to comment.