Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Compare an user password
Hello, i'm developing an external app which involves users login. This login will use my Vanilla's installation in order to retrieve user's information. Now the issue is the password hash. I can't find a way to compare the passwords.
Can someone tell me a way to accomplish this? And if possible could you leave an example?
Thanks in advance!
0
Comments
Password hashing is accomplished via the Gdn_PasswordHash class. This will check the supplied password against a stored hash.
https://github.com/vanilla/vanilla/blob/2.1/library/core/class.passwordhash.php
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
Thank you very much!
If you would like to use it on a php to take username and password and print if login was successful or not how would you do it? Thanks in advance.
You would have to get the user from the db, instantiate the password class and run the method:
If you are running this outside of the framework, you will have to bring the UserModel, Gdn_PasswordHash, and their dependent classes into scope yourself. There is probably a better way, depending on what you are trying to achieve.
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
What I need is via $_GET method compare the users password like this:
http://example.com/compare.php?user=user&password=password
This would be on an independent php file but in the same directory where vanilla is installed.
Then my application would read the result (true,false) just echo the result as the code you gave me early.
Thank you for hepling me out on this one.
If you are just looking to see if a user is logged in to the forums, just request
http://forums.example.com/profile.json
. It will return the currently logged in user, or an exception if no user is logged in.There is absolutely no reason you should EVER post a password as plaintext in a URL.
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
I know the risk thats why I would encode on md5 or other encoding, the password on the url at the end. I don't need to see if the user is loged i need to compare the password as the example code you gave me early taking the data sent from the url.
I adapted that to my needs and ended up with this:
$User = "User";
$Password = "password";
$Storedhash = "245024426e6759724b723532744677746f3956644e7a4263774f35326a4d37314931";
$Hashmethod = "Vanilla";
$PasswordHash = new Gdn_PasswordHash();
$Result = $PasswordHash->CheckPassword($Password, $Storedhash, $Hashmethod , $User);
echo ($Result) ? 'Success' : 'Failure';
But it seems its not working, it will always be a failure even if the stored hash corresponds to the actual password or not. What am I doing wrong here?
That does not look like a Vanilla password hash. Did you hash it with md5?
You should use the phpass library for password hashing, never use md5 for password hashing.
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS
Thats the one taken directly from the database.
Try passing the Username to the CheckPassword call as the fourth argument.
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS
If you read the code i posted early I'm actually passing the Username at the fourth argument of the CheckPassword call. Although the user is not needed on CheckVanilla function as it just takes two arguments: $Password and $StoredHash.
I even tried md5 hasing $Password and no luck.
Update: Found the problem.
The value I was using as the password was encrypted on the database as varbinary(100) i had to convert that to CHAR using this:
cast(Password as CHAR)
Then i retrieved the right password and it finally worked.joscplan your approach is flawed security wise.
What you really need is an API approach, and possibly SSO.
It is one for those "you are doing it wrong" moments.
People often get confused between Passwords and Authentication. Really you don’t want to pass passwords around more than you have to.
First explain who is going to be using this app, and what form it is? I presume it is client program?
grep is your friend.
Another approach is simply make you client program handle the cookie jar. You can log in once through curl, by the normal POST method.Work in JSON, you have the standard API, plus the API app. If you are not expert on the security issues, you want to use existing libraries that do sand boxing, work as lightweight browser/web client to protect credentials.
grep is your friend.
I know the risks but i'll be using Webservice instead, I wanted to make that functional in order to proceed with the implementation of it with my webservice.