It would be nice if IB would find a way to say "go for it" to Andreas. i.e. Andreas releasing sprints for vb4, instead of releasing on vb.org
xenforo to vBulletin importer
Collapse
X
-
Comment
-
Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
-
But doing smth. like giving imported users an erorr when the login fails and let them input their unhashed password to to a "XF auth" and then store it for vBulletin isn't actually thaat complicated.Comment
-
Comment
-
Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
Comment
-
I disagree with such a system giving an error, when the password doesn't match the vB hash though. How would the system know the user just didn't properly type in the password? This "imported password correction system" should just simply happen, as soon as the password doesn't match against the XF hash for the first login.
vBulletin does not transfer the plaintext password but only it's MD5 hash.
To be able to authenticate against a XF scheme the plaintext password would be required, so if you want this to happen automatically you would have to remove the MD5-Hashing for all logins.
XF can handle different authentication schemes because it does always transfer the plaintext password.
Granted that MD5-Hashes are not that hard to break, it makes it at least a bit more difficult for the occasional "sniffer", if this is removed I personally would at least recommend to use SSL for logins.Comment
-
That's basically what I said before
Reject the first (MD5) authentication attempt with an error and try again with the plaintext password (against the foreign authentication scheme) if the account is flagged - if it succedes update the password, if not produce an error.
Wether that happens visibly or "behind the scenes" are implementation details.Comment
-
However, if the account isn't already flagged as "correct" through the vB authentication scheme (like it was freshly imported), then you don't need to send out a form which will hash the password at the first attempt.
I don't see any way to avoid two authentication attempts if you don't want give up on hasing at all (unless you want to introduce some "preflight AJAX call" just to check if an account with the entered username does exist and is not yet flagged).
you don't have to reject the first attempt to ask for the password again.
Baut as said before, those would be just implementation details.Last edited by Andreas; Mon 4 Jun '12, 10:25am.Comment
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Comment