cookie password hashing

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • john.parlane
    New Member
    • Jan 2009
    • 7
    #1

    cookie password hashing

    How do I derive the bbpassword hashed password value stored in the cookie from the user.password value as stored in the database for a given user?

    I need to be able to do this so I can fix the LDAP authentication plugin here http://www.vbulletin.org/forum/showthread.php?t=196596 which is not setting the cookie bbpassword when it sets user passwords, so its not obeying the 'remember me' tick box

    The process is documented in numerous places as:

    Code:
    md5(md5(md5($cleartext_password) + $salt) + $license_id)
    where license_id is the 'VBF*******' value of your license and $salt is user.salt value from the db.

    However when I code this, I do not get the same hashed value as what is stored in the cookie.

    Note that I can successfully generate the user.password hash as stored in the database with md5(md5($password) + $salt).

    The code I am using is very simply:

    Code:
    <?php
    $db_link = mysql_connect('localhost', 'root', 'xxxxxx') or die('Could not connect: ' . mysql_error());
    mysql_select_db('vbull') or die('Could not select database'); 
    $users_query = "select salt, password from vbull.user where username = 'xxxxx.xxxxx'";    
    $results_cursor = mysql_query($users_query) or die($query.' - Query failed: ' . mysql_error());
    while ($user_row = mysql_fetch_array($results_cursor, MYSQL_ASSOC)) {
       $db_pwd = $user_row['password'];    
       $db_salt = $user_row['salt'];
    }
    $calc_db_pwd = md5(md5('cleartextpassword') . $db_salt);
    echo 'calc_db_pwd: ' . $calc_db_pwd . ' stored_db_pwd: ' . $db_pwd . '<br>';
    $calc_cookie_pwd = md5($calc_db_pwd .'VBFxxxxxxx');
    echo 'calc cookie bbpassword: ' . $calc_cookie_pwd . '<br>';
?>
    The $calc_db_pwd matches the hashed value stored in the database for the user in question, but the $calc_cookie_pwd produced does not match the bbpassword value in the cookie.

    I'm really stumped here. I think I'm doing exactly what has been documented but no go.

    Has the way the cookie pwd is being generated changed recently?

    Would really appreciate some help on this one
    Last edited by john.parlane; Thu 29 Apr '10, 6:05pm.
    Tags: cookie password md5 hash
    • john.parlane
      New Member
      • Jan 2009
      • 7
      #2
      looks like the cookie password does not include the license number after all, but is actually
      md5($calc_db_pwd .COOKIE_SALT);

      COOKIE_SALT is an internal hashed value by the looks, derived from where I dont know, anyway, this seems to work.

        Comment

        • jhabers
          Senior Member
          • Nov 2009
          • 125
          • 4.0.0
          #3
          I am running into this same problem, where are you getting COOKIE_SALT from?
          Maxum Boat Forum / Computer Repair Cary NC

            Comment

            Previous template Next
            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
            Working...