We've set up a test server with the latest ver 3.7.4 I noticed the logout hash has changed.

At present, we are running on 3.6.8 and is running fine.

May I know what's the latest algo to generate logout hash?

Thank

Yes, the logout hash has changed in vBulletin 3.7.

Pre-3.7 Logout Hash
$logouthash = md5($userid . $salt . $license);

3.7+ Logout Hash
$logouthash = sha1($userid . sha1($salt) . sha1(COOKIE_SALT));
OR
$logouthash = $vbulletin->userinfo['securitytoken_raw'];

Many Thanks.

I suggest this thread be moved to the FAQ. Or, is the new algo change reflected inthe vBulletin manual?

Thanks

I do not believe any algorithms are in the manual in the first place.

How do you generate the value of "COOKIE_SALT"?

COOKIE_SALT is your license number. (NOT your customer number!)

Thanks Dismounted.

Are you able to confirm this is the correct mysql syntax for the new 3.7 algo? The result is vastly different.


select sha1(concat(user.userid,sha1( user.salt ),sha1('MYLICENSENUMBER'))) AS logouthash2 from user


I noticed the vB 3.7 generates the hash in this format: {Unix timestamp}-{Hash}

Is the unix timestamp any significant?
Thanks

Ah yes, I forgot about that. They actually changed the algorithm (again), in a later version. The algorithm I provided will work, but will not provide a time "expiry" check. The algorithm you mention is this ($rawhash being the result of the algorithm I gave you before):
$tokenhash = TIMENOW . '-' . sha1(TIMENOW . $rawhash);

*strangles dismounted* . LOL!

Thanks!

Okay. Any insights on how to generate the constant TIMENOW?

I'm sure it's not as straight forward as mysql's UNIX_TIMESTAMP() nor php's time()

TIMENOW is just generated with time(). vBulletin uses TIMENOW to keep the time constant over the entire script's execution.