Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
  #1  
Old 06-11-2009, 06:47 AM
THE UNCEN THE UNCEN is offline
 
Join Date: Aug 2006
Posts: 10
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Making a separate login system

I'm making a separate login system. Can someone briefly explain to me how the vbulletin system checks passwords?
Reply With Quote
  #2  
Old 06-11-2009, 07:42 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Passwords in the database are hashed like so:
PHP Code:
$password md5(md5($plaintext) . $salt); 
Reply With Quote
  #3  
Old 06-12-2009, 04:28 AM
THE UNCEN THE UNCEN is offline
 
Join Date: Aug 2006
Posts: 10
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What is the $salt formula they use?
Reply With Quote
  #4  
Old 06-12-2009, 07:07 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It is the "salt" field in the database row for the user.
Reply With Quote
  #5  
Old 06-14-2009, 05:07 AM
THE UNCEN THE UNCEN is offline
 
Join Date: Aug 2006
Posts: 10
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks!

Next question... what does vbulletin use to create the password stored as the bbpassword cookie?
Reply With Quote
  #6  
Old 06-14-2009, 05:36 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It is the hashed password, along with the "cookie salt" (license number).
PHP Code:
$cookie md5($password COOKIE_SALT); 
Reply With Quote
  #7  
Old 06-14-2009, 11:47 PM
THE UNCEN THE UNCEN is offline
 
Join Date: Aug 2006
Posts: 10
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Ah, that gets me past that.

Next question... does vbulletin check the password in the DB every time it loads a page? I want to know the work flow vB uses to verify the user.
Reply With Quote
  #8  
Old 06-15-2009, 12:07 AM
ForumsMods ForumsMods is offline
 
Join Date: Aug 2007
Location: Argentina
Posts: 667
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

PHP Code:
function verify_authentication($username$password$md5password$md5password_utf$cookieuser$send_cookies)
{
    global 
$vbulletin;

    
$username strip_blank_ascii($username' ');
    if (
$vbulletin->userinfo $vbulletin->db->query_first("SELECT userid, usergroupid, membergroupids, infractiongroupids, username, password, salt FROM " TABLE_PREFIX "user WHERE username = '" $vbulletin->db->escape_string(htmlspecialchars_uni($username)) . "'"))
    {
        if (
            
$vbulletin->userinfo['password'] != iif($password AND !$md5passwordmd5(md5($password) . $vbulletin->userinfo['salt']), '') AND
            
$vbulletin->userinfo['password'] != iif($md5passwordmd5($md5password $vbulletin->userinfo['salt']), '') AND
            
$vbulletin->userinfo['password'] != iif($md5password_utfmd5($md5password_utf $vbulletin->userinfo['salt']), '')
        )
        {
            
$return_value false;
            (
$hook vBulletinHook::fetch_hook('login_verify_failure_password')) ? eval($hook) : false;
            if (isset(
$return_value))
            {
                
// unset $return_value if you want to run the $send_cookies stuff
                
return $return_value;
            }
        }
        else if (
$vbulletin->userinfo['password'] == '')
        {
            
// sanity check, though there should never really be an empty string for a password
            
$return_value false;
            (
$hook vBulletinHook::fetch_hook('login_verify_failure_password')) ? eval($hook) : false;
            if (isset(
$return_value))
            {
                
// unset $return_value if you want to run the $send_cookies stuff
                
return $return_value;
            }
        }

        if (
$send_cookies)
        {
            if (
$cookieuser)
            {
                
vbsetcookie('userid'$vbulletin->userinfo['userid'], truetruetrue);
                
vbsetcookie('password'md5($vbulletin->userinfo['password'] . COOKIE_SALT), truetruetrue);
            }
            else if (
$vbulletin->GPC[COOKIE_PREFIX 'userid'] AND $vbulletin->GPC[COOKIE_PREFIX 'userid'] != $vbulletin->userinfo['userid'])
            {
                
// we have a cookie from a user and we're logging in as
                // a different user and we're not going to store a new cookie,
                // so let's unset the old one
                
vbsetcookie('userid'''truetruetrue);
                
vbsetcookie('password'''truetruetrue);
            }
        }
        
$return_value true;
        (
$hook vBulletinHook::fetch_hook('login_verify_success')) ? eval($hook) : false;
        return 
$return_value;
    }

    
$return_value false;
    (
$hook vBulletinHook::fetch_hook('login_verify_failure_username')) ? eval($hook) : false;
    return 
$return_value;

Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 05:21 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04398 seconds
  • Memory Usage 2,264KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (3)bbcode_php
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (8)post_thanks_box
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete