XenForo Password Encryption

Z

ZoomZaa

Member
How does XenForo Password Encryption work?
I'm trying to code a PHP script to check whether or not the input password matches with the password stored in the database.
I've tried [' sha1(sha1($password) . salt) '] but didn't work.
What exactly the formula is?
 
Sort by date Sort by votes
You've tried both and they didn't work?

They are the only methods used by XenForo to hash passwords. The method used depends on whether you have the relevant PHP extension installed.
 
Upvote 0 Downvote
Have a look in XenForo_Authentication_Core for the algorithm. Your hashing algorithm will either be sha1 or sha256, depending on whether you have the ability to do it.
So:
PHP: 
sha1(sha1($password) . $salt);
or
PHP: 
sha256(sha256($password) . $salt);
 
Upvote 0 Downvote
Chris Deeming said:
You've tried both and they didn't work?

They are the only methods used by XenForo to hash passwords. The method used depends on whether you have the relevant PHP extension installed.
Click to expand...

No. They didn't work.
When I used SHA1, the result was not the same as the one in the database.
When I used SHA256, it resulted in error.
 
Upvote 0 Downvote
What was the error?

Is the PHP script and XenForo install running on the same server? If not, it's possible that your server running the PHP script doesn't have the correct PHP extension installed whereas your XenForo install does.
 
Upvote 0 Downvote
James said:
Are you using the salt also? Are you making sure you hash the password then re-hash it with the salt?
Click to expand...
I used:
sha1(sha1($password) . salt)
Was this correct?
Chris Deeming said:
What was the error?

Is the PHP script and XenForo install running on the same server? If not, it's possible that your server running the PHP script doesn't have the correct PHP extension installed whereas your XenForo install does.
Click to expand...
They're running on the same server.
The error was an Internal error. Seemed like the server could not define SHA256. So, the stored passwords should be SHA1-encrypted, shouldn't they?
 
Upvote 0 Downvote
ZoomZaa said:
I used:
sha1(sha1($password) . salt)
Was this correct?

They're running on the same server.
The error was an Internal error. Seemed like the server could not define SHA256. So, the stored passwords should be SHA1-encrypted, shouldn't they?
Click to expand...
Yep, that's correct. I'm not sure why it wouldn't return the same string unless something is wrong in the password and/or salt.

You should create a test account, grab the hash from the database, grab the salt and create a script to see if the hash is correct.
 
Upvote 0 Downvote
We'd probably need to see your code to be able to debug it effectively.

At the moment we can only see one half of the equation, e.g. the actual formula XenForo uses. The part we can't see, e.g. your script might be the part that leads us to the solution.
 
Upvote 0 Downvote
Chris Deeming said:
We'd probably need to see your code to be able to debug it effectively.

At the moment we can only see one half of the equation, e.g. the actual formula XenForo uses. The part we can't see, e.g. your script might be the part that leads us to the solution.
Click to expand...
Thanks for your support.

Here is my script:


Code: 
<?php
$username = $_POST['username'];
$password = $_POST['password'];
$password = sha1(sha1($password) . salt);
$con = mysql_connect("localhost","*****","*****");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("mcsmilew_forum",$con);
$idsearch = mysql_query("SELECT user_id FROM xf_user WHERE username = '$username'");
while ($row = mysql_fetch_assoc($idsearch)) {
$user_id = $row['user_id'];
$authenticate = mysql_query("SELECT remember_key FROM xf_user_authenticate WHERE user_id = '$user_id'");
while ($row = mysql_fetch_assoc($authenticate)) {
$forumpassword = $row['remember_key'];
}
if($password == $forumpassword){
echo "Password Correct";
}
else{
echo "Password Incorrect<br>";
}
}
?>

I'm still new in PHP, I'd love to hear your advice too. :)
 
Upvote 0 Downvote
I'm relatively new to PHP also, and the only PHP experience I have is ALL XenForo.

I've just figured out this little script that may help...

Because I always think in XenForo, I literally do nothing unless it involves XenForo. So the following does what you want, but entirely using XenForo functions and classes. You should be able to call these from your script.

PHP: 
<?php

$startTime = microtime(true);
$fileDir = dirname(__FILE__);

require($fileDir . '/library/XenForo/Autoloader.php');
XenForo_Autoloader::getInstance()->setupAutoloader($fileDir . '/library');

XenForo_Application::initialize($fileDir . '/library', $fileDir);
XenForo_Application::set('page_start_time', $startTime);

$username = 'Kier';
$password = 'KiersPassword';

$db = XenForo_Application::getDb();

$data = $db->fetchOne('
	SELECT
		auth.data
	FROM xf_user_authenticate AS auth
	INNER JOIN xf_user AS user ON
		(user.user_id = auth.user_id)
	WHERE user.username = ?
', $username);

$auth = XenForo_Authentication_Abstract::createDefault();

$auth->setData($data);

$check = $auth->authenticate($username, $password);

Zend_Debug::dump($check);

So, talking through it.

The first 10 lines (before $username) basically load XenForo's classes.

You need to specify the full server path to Autoloader.php, in my case my PasswordCheck.php is in the XenForo root so the __FILE__ parameter is sufficient.

I then set the username and password (obviously this can be retrieved from $_POST parameters instead).

I then get the database. This handles all of the database authentication and everything.

Big difference between my code and your code is I'm selecting 'data' from xf_user_authenticate NOT the remember_key. I'm not sure what the remember_key is, but it's something different. I believe data essentially contains your password hash and salt amongst other things in a serialised array.

Now I've got that, I create the default XenForo authentication object and set the data I retrieved from the database.

I can then make a call to the authenticate function and pass in my username and password.

The response will either be true or false. I have dumped the response using Zend_Debug::dump($check)
 

Attachments

Upvote 0 Downvote
Chris Deeming said:
I'm relatively new to PHP also, and the only PHP experience I have is ALL XenForo.

I've just figured out this little script that may help...

Because I always think in XenForo, I literally do nothing unless it involves XenForo. So the following does what you want, but entirely using XenForo functions and classes. You should be able to call these from your script.

PHP: 
<?php
 
$startTime = microtime(true);
$fileDir = dirname(__FILE__);
 
require($fileDir . '/library/XenForo/Autoloader.php');
XenForo_Autoloader::getInstance()->setupAutoloader($fileDir . '/library');
 
XenForo_Application::initialize($fileDir . '/library', $fileDir);
XenForo_Application::set('page_start_time', $startTime);
 
$username = 'Kier';
$password = 'KiersPassword';
 
$db = XenForo_Application::getDb();
 
$data = $db->fetchOne('
SELECT
auth.data
FROM xf_user_authenticate AS auth
INNER JOIN xf_user AS user ON
(user.user_id = auth.user_id)
WHERE user.username = ?
', $username);
 
$auth = XenForo_Authentication_Abstract::createDefault();
 
$auth->setData($data);
 
$check = $auth->authenticate($username, $password);
 
Zend_Debug::dump($check);

So, talking through it.

The first 10 lines (before $username) basically load XenForo's classes.

You need to specify the full server path to Autoloader.php, in my case my PasswordCheck.php is in the XenForo root so the __FILE__ parameter is sufficient.

I then set the username and password (obviously this can be retrieved from $_POST parameters instead).

I then get the database. This handles all of the database authentication and everything.

Big difference between my code and your code is I'm selecting 'data' from xf_user_authenticate NOT the remember_key. I'm not sure what the remember_key is, but it's something different. I believe data essentially contains your password hash and salt amongst other things in a serialised array.

Now I've got that, I create the default XenForo authentication object and set the data I retrieved from the database.

I can then make a call to the authenticate function and pass in my username and password.

The response will either be true or false. I have dumped the response using Zend_Debug::dump($check)
Click to expand...
Many Thanks!
Does $auth stand for the result (true or false), right?
 
Upvote 0 Downvote
It's built into XenForo and loaded along with the XenForo Autoloader.

For testing purposes you could equally just use something like:
PHP: 
if ($check)
{
	echo 'success';
}
else
{
	echo 'fail';
}
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

G
  • Question Question
XF 2.2 What should I be using for Email Transport Method?
Replies
2
Views
476
GenCommunity
G
C
  • Question Question
XF 2.2 Schema Documentation?
Replies
2
Views
559
chris p
C
FoxSecrets
XF 2.2 How to call back own custom fields
Replies
2
Views
240
Robert9
R
nogridhome.com
  • Question Question
XF 2.2 Missing reset password email
Replies
6
Views
1K
Nicolas FR
N
dunowat
Private IP showing instead of Public IP.
Replies
3
Views
280
dunowat
dunowat
Top Bottom