XF 1.1 Verify User Account Details

I have an external script which I need to query the forum database and verify the username/password entered is valid.

In vB it was straight-forward (double MD5 on password, both in same table). I'm new to XF though; could anyone point me in the right direction for password locations and encryption?

Jake Bunce

XenForo moderator
Staff member
The passwords are stored in the xf_user_authenticate table in the database. See this file for the auth code:


XenForo uses a salted double hash using either SHA1 OR SHA256:

sha1(sha1(password) . salt)


sha256(sha256(password) . salt)

You will need to fetch the auth record and then verify the password using PHP code. This is because the data is serialized so it can't be queried directly. And MySQL doesn't have a SHA256 function, only SHA1.