Blog Documentation Try Vanilla Cloud
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

WordPress 2.5 Bridge

BlaenkDenumBlaenkDenum
edited May 2009 in Vanilla 1.0 Help
Hey, I've been using the WordPress integration method described here which worked wonderfully. However, as of 2.5, WordPress now uses phpass and salts the hashes, as well as encrypts cookies (Described here towards the bottom). I've already tried to figure out how to modify the implementation but I just can't figure it out. I believe I have to use either wp_hash_password or wp_check_password. I don't care if the auto-authentication works (It might not because that involved cookies, and WordPress changed the way it does cookies). There is a plugin to revert to the original plain md5 hashing method here here, but I would prefer the extra layer of security. Here are the definitions of wp_check_password() and wp_hash_password().

I would appreciate if anyone has any answers or could help in any way with this, as I would like to keep Vanilla forums. I don't mind doing this myself, I just need some type of guidance. SirNot, please help :(
«1345

Comments

  • Options
    rmccuermccue
    This would definitely be needed. I might try and write this myself, if no one else does.
  • Options
    BlaenkDenumBlaenkDenum
    I forgot to mention. To use WordPress functions such as the ones I mentioned earlier, wp_check_password() and wp_hash_password(), one must follow the procedure outlined here. This will allow one to call functions as if they were working on WordPress files themselves.

    rmccue: If you do write one eventually, please let me know! I'd be glad to help if you need anything, by the way.
  • Options
    fysicsluvrfysicsluvr New
    while you're at it, you might write an extension for vanilla that adds the security that wordpress added with their update.
  • Options
    miczmicz
    I've updated the WordpressAuthenticator written by Mark.

    Please consider:
    • I'm currently using the plugin to store passwords with md5 encryption.
    • You need to login from wordpress at least one time to let it create the "secret" option that is the secret salt (or at least verify that the option exists!).
    • You need to specify a $Configuration['WP_SECRET_KEY'] to match exactly the SECRET_KEY defined in wp-config.php
    • This is highly experimental!
      • The previous version uses two cookies, one to store the plain username and one to store che double-md5-ed password. So to get the identity it verifies the stored username and password with the ones in the cookies.
      In this version as long as I've got this right it uses only one cookie to store a string made by the username, the expiration time (I've set this to one hour) and a hash.
      So Vanilla has to verify this hash.
      I'm concerned to not weak the security in a way I've not understood, so, please, may you confirm this?

      I've set up a gdoc with the source, but tell me if there is a better way to share it (I can send the source to Mark if needed).

      The source: http://docs.google.com/View?docid=dhg8h5q9_1dmb7m967

      Thanks!

      Mic
  • Options
    mafromafro
    Typically I just spent the morning doing precisely the same thing as micz.. Should've checked here first! This is working fine on my site in conjunction with the MD5 Password Hashes plugin.

    Our implementation is pretty much the same - cheap and cheerful copy-paste of the auth functions from pluggable.php in wordpress.. I suppose it's somewhat reassuring that two people independently came out with the exact same solution.

    Google Doc
  • Options
    miczmicz
    You're right we've done the same thing: fast and effective. :) I've only forgotten to remove a couple not used variables from the custom version of the file I'm using in my webapp. So I assume that this is the right way and we're not weakening the wp security. Mic
  • Options
    rmccuermccue
    So I assume that this is the right way and we're not weakening the wp security.
    Yes, this is the absolute wrong way to do it. The password hashing was changed to be more resilient to cracking by using HMACs and this plugin reverts it to the old behaviour. The real way to do it would be to use the actual new functions as part of WP.
  • Options
    miczmicz
    edited April 2008
    Yes rmccue, you're right. But I was only referring to the new cookie management. I know using that plugin (I didn't write) is reverting to the old md5 password system. The code I and mafro wrote is about the way Wordpress 2.5 is using the cookie to mantain the authentication and my concern was only about that. I think you can use the wp login form with the new passowrd system and, after the authentication, with the modified WordpressAuthenticator file, the user should still logged into vanilla. I've not tested it thought. I hope someone will come out with the modification you need.
  • Options
    SilkjaerSilkjaer
    Anyone got this working?

    I have set up my site using micz script, and installed the md5 hashes plugin in WP.. It won't work though - i can easily share the user database as usual, but cookies won't work. When i have logged in in WP i am not logged in in Vanilla, and as soon as i log in the other place, i am logged out the other.

    Any idea what i am doing wrong, or how i can fix it?
  • Options
    miczmicz
    Silkjaer, have you checked if in your wp option table there is the "secret" option? Have you specified a $Configuration['WP_SECRET_KEY'] to match exactly the SECRET_KEY defined in wp-config.php? Given those, it should work. Let me know.
  • Options
    SilkjaerSilkjaer
    Fantastic! Works now!
    Weird enough the secret in wp_options was different from the one in wp-config and vanilla :) changed to let them all match, and it works!

    Thanks alot
  • Options
    BlaenkDenumBlaenkDenum
    micz: Thanks man I really appreciate it. I noticed that you are using the MD5 hash plugin for WordPress. This is great since it at least works, but it'd be better if we could make use of the new security features in WordPress. Someone was kind enough to provide a working fix for the WordPress to phpBB3 bridge, WP-United. I think that the method they used could be implemented into the Vanilla bridge. What I mean by this is we can see how they modified the existing code (Since it operated in the same manner as this bridge, the whole hashing of passwords, storing of cookies, etc.) and modify ours respectively. I will try to do this myself but I don't know just how right I could do it. I have provided you with the information you'll need though, I believe.

    Thanks again micz, I really appreciate even this fix. I would definitely appreciate a fix that makes use of the new features though. Like I've said, to be able to use the WordPress functions, you'll want to do what is outlined here.
  • Options
    mafromafro
    To be honest I dont think it's really necessary to use the new password hashing scheme, ok so it's more secure against brute force attacks (rainbow tables etc..) should anyone get access to your DB, but most of the security benefits already exist via the port of the new cookie management protocol and the use of a salt on the hash.

    You can read about the improved cookie handling here and the basic problem with the old cookie implementation is described in this support ticket http://trac.wordpress.org/ticket/5367. This problem is fixed in the WP Bridge provided above. Links courtesy of boren.nu!

    Most of every site on the internet written in PHP will use md5 hashed passwords. For future development it makes sense to use phpass - but I wouldnt really worry about it for your WP/Vanilla homepage.
  • Options
    BlaenkDenumBlaenkDenum
    Alright then. So the fix that micz provided is mainly to fix the cookie handling? Because it seems that why (Else why still use the MD5 Hash plugin). I'm fine with that, it's working perfectly fine now (When I go to the forums I am logged in). Thanks.
  • Options
    miczmicz
    This modification will not work with Wordpress 2.5.1, because some core functions are little different in this version.
    I hope to find soon the time to update the code.
  • Options
    tikitakfiretikitakfire
    oh! perhaps this is what caused my problem...

    I hope that the solutions soon: D
  • Options
    juicysaucejuicysauce
    Thanks everyone for helping with this. Just wanted to add my voice to those reporting problems with 2.5.1.
  • Options
    mafromafro
    So I did the changes to my Wordpress bridge to make this work with 2.5.1. Unfortunately my modded wordpress/forum effort is so far different from a default install that I can't be sure that mine will work for any of you as is.

    Hence, I quickly did a (very slightly) modified version of micz's code from above which you should hopefully be able to drop into a default install. Find it here:
    http://docs.google.com/Doc?id=dcf7jf9g_1gcjpktgg

    If anyone would care to test this, ill have a look if you find any problems. If I had more time i'd do a default install and test myself!

    Cheers all
    mafro
  • Options
    BivakBivak
    @mafro: First off, thanks for your effort. I tried to install your modified version of micz's code. My Wordpress (2.5.1) is almost default, and my Vanilla (1.1.4) install is. Unfortunately it doesn't seem to work in my case. These are the steps I have taken; - Followed the steps in the Wiki that describes how to integrated Wordpress and Vanilla (http://lussumo.com/docs/doku.php?id=vanilla:integration:wordpress). - Placed your code in library/People and saved it as 'People.Class.WordpressAuthenticator.php'. - Edited the settings.php file in the conf directory; // Wordpress Authenticator $Configuration['AUTHENTICATION_MODULE'] = 'People/People.Class.WordpressAuthenticator.php'; $Configuration['DEFAULT_ROLE'] = '3'; $Configuration['ALLOW_IMMEDIATE_ACCESS'] = '1'; $Configuration['WP_SECRET_KEY'] = 'my_secret'; The WP_SECRET_KEY is the same as SECRET_KEY in wp-config.php. Also I updated the wordpress database; mysql> update wp_options set option_value='my_secret' where option_name='secret'; - Installed and activated the MD5 Password Hashes plugin. Logged in again so it altered my MD5-hash. - After that, I surfed to my Vanilla forum, but I wasn't logged in automatically. When I try to log in, I don't receive any error, but I'm not able to login. - When I commented out the $Configuration['AUTHENTICATION_MODULE'] setting, I can login to Vanilla with the credentials from Wordpress. So am I missing something here? Is there a way to get more into debugging? Thanks in for your reply in advanced. Ciao, Bivak.
  • Options
    mafromafro
    edited May 2008
    Ok I just did a default install and integration of WP 2.5.1 and Vanilla 1.1.4. I followed essentially the same steps as you did, but to clarify also:

    - I use the wp_users table, with the additional columns for Vanilla.
    - I don't use the WP login form. I redirect any requests for wp-login.php onto the Vanilla login page (see some code below). This shouldn't really make any difference however!

    I tried the modded code I posted previously, and yes it didn't work. Ill have a look at working out why later - I don't have time now. But, I did drop in my WordpressAuthenticator (posted originally above) and it worked fine.

    Try this code as a drop in replacement and let me know how you get on.

    http://docs.google.com/View?docid=dcf7jf9g_2dw92g6z8

    For reference this is the excerpt from my conf/database.php:

    // Map to the wordpress user table $DatabaseTables['User'] = 'wp_users'; // Map existing wordpress columns to Vanilla $DatabaseColumns['User']['UserID'] = 'ID'; $DatabaseColumns['User']['UserLogin'] = 'user_login'; $DatabaseColumns['User']['Name'] = 'display_name'; $DatabaseColumns['User']['Password'] = 'user_pass'; $DatabaseColumns['User']['Email'] = 'user_email'; $DatabaseColumns['User']['DateFirstVisit'] = 'user_registered';
    And here's the little bit of redirect code I added to wp-login.php. If you use this, set ROOT_URL to the location of your wordpress install (prob just / on live server).

    define("ROOT_URL", "/wordpress251/"); if(($_GET['action'] == "logout") || ($_GET['loggedout'] == "true")) { //redirect Wordpress logout requests to home $return_url = ROOT_URL; }else if(strlen($_SERVER['QUERY_STRING']) == 0) { //redirect Wordpress login with no return_url to home $return_url = ROOT_URL; }else if(strpos($_SERVER['REQUEST_URI'], "wp-login.php?redirect_to=") > 0) { //crop off the Wordpress wp-login redirect $return_url = str_replace(ROOT_URL."wp-login.php?redirect_to=", "", $_SERVER['REQUEST_URI']); $return_url = urldecode($return_url); }else{ $return_url = $_SERVER['REQUEST_URI']; } //dont use Wordpress login header("location: forum/people.php?PageAction=SignOutNow&ReturnUrl=".$return_url); exit;
    mafro
Sign In or Register to comment.