The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
Turn off client side password encryption
I am writing a plugin to enable us to authenticate users against Lotus Notes but need to receive the password in plain text rather than the encrypted form that vB sends via client side encyrption through the md5hash function of the vbulletin_md5.js file.
Can anyone shed any light on how to turn off the client side encryption? From tests, you can still login with Javascript turned off in the browser so I don't see that disabling this will prevent user login. To alleviate any security concerns, the forum will be running over an SSL link. Many thanks for any assistance! |
#2
|
||||
|
||||
Don't you think that you should work harder for that, instead of breaking the privacy of your users by having their passwords?
|
#3
|
|||
|
|||
Quote:
Any system worth its pennies will not allow an encrypted password to be seen based upon the submission of a correct username. LN is the same - you can't just send the username and get back the encrypted password to then be compared against the password encrypted at client level by vB. Quote:
|
#4
|
|||
|
|||
actually Magnumutz, you are completely aside of the track, so please, don't be rude with the client.
@Quantel, there is a way to retrieve the uncrypted password, and as you are using SSL on your site, this may be the solution... as you already tested it, deactivating the javascript in the login process is a good way, and there is a minimum of hacking needed to do it internally... i think there is already a solution released in the Mods section... |
#5
|
|||
|
|||
If i remember correct the following in your config.php should also enable sending of plaintext passwords:
PHP Code:
A much better solution would be to add the second hashing mechanism to the hashed passwords available in the application. To do this on the vBulletin side, you might consider change the password hashing on the client side and has it also in the format Notes expects before clearing the plaintext vBulletin password. I guess it is better to sent 2 hashed versions of the password over the internet, then 1 time in plaintext. |
#6
|
|||
|
|||
The "define('DISABLE..." worked a treat. I do agree that there might be a decrease in security but I think that this is reduced in impact by the use of SSL. In this particular case though, if we were to only use the md5'd password, that would be sent to Lotus, be md5'd again and of course would subsequently fail the authentication.
Thank-you for your assistance Marco, and nexialys! |
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|