Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla Forums Password Encoding Method

I need to know what the password encrypting method for Vanilla Forums. As i am making a minecraft bukkit plugin to register players with a specified password.


  • Options
    x00x00 MVP
    edited June 2014

    Authentication does not equal passing passwords around, it is insecure and not how SSO authentication works. SSO authenticates a user, user sign on through a service, they are authenticated, through SSO solution to useother services.

    The way a session is authenticated, can be somewhat unrelated to he authentication of sign on credentials (ie password) when logging in. if you can establish securely that there is valid session cookie, then you can set up session for the other service (registering them if necessary).

    In most applications passwords are not encrypted, they are one way hashed. Which is why you rarely get you password back if you forget it.

    grep is your friend.

  • Options

    Lastly being "logged on" is concept that doesn't really exist between requests on a server.

    HTTP is stateless therefore there is no state of "logged on". Being "logged on" is merely the effect of having a valid session valid a secured cookie. However the sever would have nod idea if that cookie still remains, when not reached.

    if you are authenticated by another service, you are merely saying that services authentication is good enough to allow access to other service, additional password is not necessary. But you must be wary of forgery.

    I hope this helps.

    grep is your friend.

  • Options
    hgtonighthgtonight ∞ · New Moderator

    It sounds like you have db access and want to just insert a record into the user table. While I don't suggest you do this, Vanilla's hashing method is documented in the Gdn_PasswordHash::HashPassword() method.

    If you can make http requests you could use the API application and POST to the /users endpoint. This would require running alpha software, so I don't really suggest it.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • Options

    @hgtonight‌ where do I find the method?

  • Options

    you can use grep to find almost anything. its a useful tool google it.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

Sign In or Register to comment.