we have an intranet system we've built and it utilizes vBulletin's login system and so forth...everything works like a charm so far.

question is: there is a My Profile section that users will use to change their password...we dont want to use vBulletin's password change page, cause we have our own design.

(the admin initially sets up the user with a temporary password as the site does not allow new registrations or outside access...we know who everyone is)

will it work to simply update the vb_user table as such when they go to the My Profile section:


$newpass = $_POST['newpass'];
$currentpassword = mysql_query("SELECT passworddate, salt FROM vb_user WHERE userid = '$userid' LIMIT 1");
$current_pass = mysql_fetch_array($currentpassword);
$vbsalt = $current_pass['salt'];
$pass_hash = md5(md5($newpass) . $vbsalt);
$passdate = date('Y-m-d');
$updatepassword = mysql_query("UPDATE vb_user SET password = '$pass_hash', passworddate = '$passdate' WHERE userid = '$userid'");


i implemented this and it worked, BUT, now i have users trying to log in a couple of days later and now all of a sudden, they cant...so the admin needs to reset the password and they can get back in again.

so is something wrong with how we are changing the password?

I had faced that problem once. Try it as: md5($newpass . $vbsalt);

so drop the brackets around $newpass?

so it would be:

$pass_hash = md5(md5($newpass . $vbsalt));


OR


$pass_hash = md5($newpass . $vbsalt);


and also, so is client-side encryption using vbulletin_md5.js not necessary?

the thing is also that users are having no problems getting in, and they change the password and it encrypts correctly...its only after a few days that they log in where they are suddenly not able to anymore...very strange...so im thinking it might have something to do with session hash's or something since im just updating the database with the new encrypted password rather than go through the entire process vbulletin goes through for password changes.

thoughts?

$pass = md5(md5($rawpass) . $salt);
Using the vBulletin User Datamanager is the recommended way as it updates the caches/etc. as well.

I had written a conversion script once for a board software. I tried passwords as md5(md5($password . $salt)) but it didn't work, so I tried it as md5($password . $salt) and it did work.

Maybe because the board already MD5 hashed it once :).

Absolutely. :D

if we have an SSL on the site, could i make things simpler and just remove the javascript client-side md5 encryption that vbulletin uses?

that way, the password would be sent as clear text, hashed and matched to the encryption on the database...then there would be no need for the cache settings and so on.

reason i ask is also that i created a test script to see what the output of the md5 client side encryption is and it doesnt match what is on the database side for the same password...im guessing since the client side encrypts with the license of the board whereas the database side is with the salt found in the user table....correct? or am i missing something?

ps - thanks for the responses, much appreciated!

Not sure but this might help you: https://vborg.vbsupport.ru/showpost.php?p=1456485&postcount=7

Hence why the client side doesn't match the Database to begin with.