Has the Logout Hash algorithm changed?

[evannn]

We've set up a test server with the latest ver 3.7.4 I noticed the logout hash has changed.

At present, we are running on 3.6.8 and is running fine.

May I know what's the latest algo to generate logout hash?

Thank

[Dismounted]

Yes, the logout hash has changed in vBulletin 3.7.

Pre-3.7 Logout Hash

PHP Code:

$logouthash = md5($userid . $salt . $license); 


3.7+ Logout Hash

PHP Code:

$logouthash = sha1($userid . sha1($salt) . sha1(COOKIE_SALT)); 


OR

PHP Code:

$logouthash = $vbulletin->userinfo['securitytoken_raw']; 


[evannn]

Many Thanks.

I suggest this thread be moved to the FAQ. Or, is the new algo change reflected inthe vBulletin manual?

Thanks

[Dismounted]

I do not believe any algorithms are in the manual in the first place.

[evannn]

How do you generate the value of "COOKIE_SALT"?

[Dismounted]

COOKIE_SALT is your license number. (NOT your customer number!)

[evannn]

Thanks Dismounted.

Are you able to confirm this is the correct mysql syntax for the new 3.7 algo? The result is vastly different.

Code:

select sha1(concat(user.userid,sha1( user.salt ),sha1('MYLICENSENUMBER'))) AS logouthash2 from user

I noticed the vB 3.7 generates the hash in this format: {Unix timestamp}-{Hash}

Is the unix timestamp any significant?
Thanks

[Dismounted]

Ah yes, I forgot about that. They actually changed the algorithm (again), in a later version. The algorithm I provided will work, but will not provide a time "expiry" check. The algorithm you mention is this ($rawhash being the result of the algorithm I gave you before):

PHP Code:

$tokenhash = TIMENOW . '-' . sha1(TIMENOW . $rawhash); 


[evannn]

*strangles dismounted* . LOL!

Thanks!

Okay. Any insights on how to generate the constant TIMENOW?

I'm sure it's not as straight forward as mysql's UNIX_TIMESTAMP() nor php's time()

[Dismounted]

TIMENOW is just generated with time(). vBulletin uses TIMENOW to keep the time constant over the entire script's execution.