• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Question regarding P2H extension for xenForo

Mr. Goodie2Shoes

Well-known member
#1
okay... for some reason the THT people haven't yet developed a P2H module for xenForo... so I am trying to create one... all the things are done but can't find how the password is stored... I know how the password is encrypted and where it is stored.

The encryption hash is SHA1... can anyone guide me where the "SALT" is stored or anything like that?
 

Fuhrmann

Well-known member
#2
Xenforo salts passwords server side.

PHP:
/**
    * Generates an arbtirary length salt
    *
    * @return string
    */
    public static function generateSalt($length = null)
    {
        if (!$length)
        {
            $length = self::DEFAULT_SALT_LENGTH;
        }
 
        return XenForo_Application::generateRandomString($length);
    }
PHP:
/**
    * Generates a psuedo-random string of the specified length.
    *
    * @param integer $length
    *
    * @return string
    */
    public static function generateRandomString($length)
    {
        while (strlen(self::$_randomData) < $length)
        {
            // openssl_random_pseudo_bytes is *ridiculously* slow on windows
            if (function_exists('openssl_random_pseudo_bytes') && substr(PHP_OS, 0, 3) != 'WIN')
            {
                self::$_randomData .= bin2hex(openssl_random_pseudo_bytes(max($length, 1024) / 2));
            }
            else
            {
                self::$_randomData .= md5(uniqid(mt_rand(), true));
            }
        }
 
        $return = substr(self::$_randomData, 0, $length);
        self::$_randomData = substr(self::$_randomData, $length);
 
        return $return;
    }

File: library/XenForo/Application.php
 

Mr. Goodie2Shoes

Well-known member
#3
umm yeah... I've seen the same coding in
library/XenForo/Authentication/Core.php

I know xenForo generates a random string... but doesn't it need to stored somewhere in the database? like there's a 'SALT' field in the members table in vBulletin...
 

Kier

XenForo Developer
Staff member
#7
Everything is stored in the xf_user_authenticate table as serialized data in the 'data' BLOB field.
 

Mr. Goodie2Shoes

Well-known member
#8
yes, I see scheme_class, data and remember_key

what is the [BLOB xxxB] thingy? and I am thinking that the remember_key is where the SHA1 hash is stored?