How to create a user bridge? (Getting plain text password)

[lennix]

Hey there,

I've been searching for a solution of my problem for more than 2 days now and I can't find anything.

I'm running vBulletin 4.0 and I'm really happy with it. My Project is running a game server where you need to register an account to be able to play. I want to create a bridge, that registering on vBulletin also registers the user on the login server of my game server.
To achieve this I need the plain text password and the username of the user on registration and on change of password. I already hacked the login-routine but "$vbulletin->GPC['vb_login_password'];" is empty on "if ($_POST['do'] == 'login')" in login.php.

Do you have any idea how to resolve this problem? I would love to solve this with the cool plugin-system.

Thanks in advance,
Lennix aka. Pascal

[NickyDee]

It might be easier to just setup your game server to share the same user name and password tables with vBulletin, depending on how much control you have over the game server?

Problem with the vBulletin password is its double MD5 hashed and salted when its passed to and stored in the database. Getting the text version will require pretty extensive modification of vB, its also going to kill your users security and privacy because their password will be passing around with no encryption on it.

[lennix]

The main problem is that the game server and the web server are running on different systems. And due to security matters we only have a one-way connection web server->game server established.

Somebody told me that at the moment I click on login the password is already hashed using javascript. Is that true? Because then I have to give up and create another page for registration on the game server. I could run it inside vBulletin so that the players are forced to sign up on our boards.

But if the password is hashed on the backend using php I could grep it and work with it.

Best regards,
Lennix aka. Pascal

[NickyDee]

Quote:

Originally Posted by lennix

Somebody told me that at the moment I click on login the password is already hashed using javascript. Is that true? Because then I have to give up and create another page for registration on the game server. I could run it inside vBulletin so that the players are forced to sign up on our boards.

But if the password is hashed on the backend using php I could grep it and work with it.

I'm fairly certain the hash is achieved with javascript. This means that the password is hashed before it leaves the page (so the password isn't vulnerable if its intercepted during the exchange).

I would consider setting this up as something like a compulsary user profile field on signup that is passed to your game server when they login. If your current users haven't completed the field then they get an error message or even a redirect to complete the compulsary field.