HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Compare an user password

Hello, i'm developing an external app which involves users login. This login will use my Vanilla's installation in order to retrieve user's information. Now the issue is the password hash. I can't find a way to compare the passwords.

Can someone tell me a way to accomplish this? And if possible could you leave an example?

Thanks in advance!

Comments

  • hgtonighthgtonight ∞ · New Moderator

    Password hashing is accomplished via the Gdn_PasswordHash class. This will check the supplied password against a stored hash.

    https://github.com/vanilla/vanilla/blob/2.1/library/core/class.passwordhash.php

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

    joscplan
  • @hgtonight said:
    Password hashing is accomplished via the Gdn_PasswordHash class. This will check the supplied password against a stored hash.

    https://github.com/vanilla/vanilla/blob/2.1/library/core/class.passwordhash.php

    Thank you very much!

  • @hgtonight said:
    Password hashing is accomplished via the Gdn_PasswordHash class. This will check the supplied password against a stored hash.

    https://github.com/vanilla/vanilla/blob/2.1/library/core/class.passwordhash.php

    If you would like to use it on a php to take username and password and print if login was successful or not how would you do it? Thanks in advance.

  • hgtonighthgtonight ∞ · New Moderator

    You would have to get the user from the db, instantiate the password class and run the method:

    $UserModel = new UserModel();
    $User = $UserModel->GetByEmail($Username);
    
    if (!$User) {
      $User = $UserModel->GetByUsername($Username);
    }
    
    $Result = FALSE;
    
    if ($User) {
      // Check the password.
      $PasswordHash = new Gdn_PasswordHash();
      $Result = $PasswordHash->CheckPassword($Password, val('Password', $User), val('HashMethod', $User));
    }
    
    echo ($Result) ? 'Success' : 'Failure';
    

    If you are running this outside of the framework, you will have to bring the UserModel, Gdn_PasswordHash, and their dependent classes into scope yourself. There is probably a better way, depending on what you are trying to achieve.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

    Bleistivtjoscplan
  • @hgtonight said:
    You would have to get the user from the db, instantiate the password class and run the method:

    $UserModel = new UserModel();
    $User = $UserModel->GetByEmail($Username);
    
    if (!$User) {
      $User = $UserModel->GetByUsername($Username);
    }
    
    $Result = FALSE;
    
    if ($User) {
      // Check the password.
      $PasswordHash = new Gdn_PasswordHash();
      $Result = $PasswordHash->CheckPassword($Password, val('Password', $User), val('HashMethod', $User));
    }
    
    echo ($Result) ? 'Success' : 'Failure';
    

    If you are running this outside of the framework, you will have to bring the UserModel, Gdn_PasswordHash, and their dependent classes into scope yourself. There is probably a better way, depending on what you are trying to achieve.

    What I need is via $_GET method compare the users password like this:

    http://example.com/compare.php?user=user&password=password

    This would be on an independent php file but in the same directory where vanilla is installed.

    Then my application would read the result (true,false) just echo the result as the code you gave me early.

    Thank you for hepling me out on this one.

  • hgtonighthgtonight ∞ · New Moderator

    If you are just looking to see if a user is logged in to the forums, just request http://forums.example.com/profile.json. It will return the currently logged in user, or an exception if no user is logged in.

    There is absolutely no reason you should EVER post a password as plaintext in a URL.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

    peregrine
  • @hgtonight said:
    If you are just looking to see if a user is logged in to the forums, just request http://forums.example.com/profile.json. It will return the currently logged in user, or an exception if no user is logged in.

    There is absolutely no reason you should EVER post a password as plaintext in a URL.

    I know the risk thats why I would encode on md5 or other encoding, the password on the url at the end. I don't need to see if the user is loged i need to compare the password as the example code you gave me early taking the data sent from the url.

  • joscplanjoscplan
    edited November 2014

    @hgtonight said:
    You would have to get the user from the db, instantiate the password class and run the method:

    $UserModel = new UserModel();
    $User = $UserModel->GetByEmail($Username);
    
    if (!$User) {
      $User = $UserModel->GetByUsername($Username);
    }
    
    $Result = FALSE;
    
    if ($User) {
      // Check the password.
      $PasswordHash = new Gdn_PasswordHash();
      $Result = $PasswordHash->CheckPassword($Password, val('Password', $User), val('HashMethod', $User));
    }
    
    echo ($Result) ? 'Success' : 'Failure';
    

    If you are running this outside of the framework, you will have to bring the UserModel, Gdn_PasswordHash, and their dependent classes into scope yourself. There is probably a better way, depending on what you are trying to achieve.

    I adapted that to my needs and ended up with this:

    $User = "User";
    $Password = "password";
    $Storedhash = "245024426e6759724b723532744677746f3956644e7a4263774f35326a4d37314931";
    $Hashmethod = "Vanilla";

    $PasswordHash = new Gdn_PasswordHash();
    $Result = $PasswordHash->CheckPassword($Password, $Storedhash, $Hashmethod , $User);

    echo ($Result) ? 'Success' : 'Failure';

    But it seems its not working, it will always be a failure even if the stored hash corresponds to the actual password or not. What am I doing wrong here?

  • BleistivtBleistivt Moderator
    edited November 2014

    That does not look like a Vanilla password hash. Did you hash it with md5?

    You should use the phpass library for password hashing, never use md5 for password hashing.

  • joscplanjoscplan
    edited November 2014

    @Bleistivt said:
    That does not look like a Vanilla password hash. Did you hash it with md5?

    You should use the phpass library for password hashing, never use md5 for password hashing.

    Thats the one taken directly from the database.

  • Try passing the Username to the CheckPassword call as the fourth argument.

  • joscplanjoscplan
    edited November 2014

    @Bleistivt said:
    Try passing the Username to the CheckPassword call as the fourth argument.

    If you read the code i posted early I'm actually passing the Username at the fourth argument of the CheckPassword call. Although the user is not needed on CheckVanilla function as it just takes two arguments: $Password and $StoredHash.

    I even tried md5 hasing $Password and no luck.

  • Update: Found the problem.

    The value I was using as the password was encrypted on the database as varbinary(100) i had to convert that to CHAR using this: cast(Password as CHAR) Then i retrieved the right password and it finally worked.

    Bleistivthgtonight
  • x00x00 MVP
    edited November 2014

    joscplan your approach is flawed security wise.

    What you really need is an API approach, and possibly SSO.

    It is one for those "you are doing it wrong" moments.

    People often get confused between Passwords and Authentication. Really you don’t want to pass passwords around more than you have to.

    First explain who is going to be using this app, and what form it is? I presume it is client program?

    grep is your friend.

  • Another approach is simply make you client program handle the cookie jar. You can log in once through curl, by the normal POST method.Work in JSON, you have the standard API, plus the API app. If you are not expert on the security issues, you want to use existing libraries that do sand boxing, work as lightweight browser/web client to protect credentials.

    grep is your friend.

  • @x00 said:
    Another approach is simply make you client program handle the cookie jar. You can log in once through curl, by the normal POST method.Work in JSON, you have the standard API, plus the API app. If you are not expert on the security issues, you want to use existing libraries that do sand boxing, work as lightweight browser/web client to protect credentials.

    I know the risks but i'll be using Webservice instead, I wanted to make that functional in order to proceed with the implementation of it with my webservice.

Sign In or Register to comment.