User authentication

[v1rax]

hello I'm making a application that will be hosted on the different server from my joomla installaion. I want this application to use my joomla user DB.

so far I've finished the registration system .. works perfect (reged users from the remote server login without problem on joomla).


I figured out how to insert password in the DB using joomlas format "md5($password.$salt):salt" ...now I need help with comparing the user input login password  to the encoded password in the db jos_users.

I'm not very good in php help would be appreciated.

note: I use remote mysql connection to interact with my joomla's db from the remote server.

[ianmac]

Well...  say you had the user's password...  how would you get the value to match the one in the database?

You have answered the question yourself really...

You insert the password, hash it using md5 ($password.$salt):salt...  right?

So, you have password...  and you can get the salt...

So calculate md5( $password.$salt ) and compare it to the value in the database.

Ian

[v1rax]

ok lets say I creat a user with this info ... username:test password:test  then delete that user and remake with same info .. would it have the same salt and  hash as the first one?

oh and I understand what to do with comparing the values now... thanks

[ianmac]

No, the salt just be randomly generated every time you save a password.  Just store the new salt along with the password.

Ian

[v1rax]

hmm I'm having some problems..


I'm thinking that I'm going to have to  do the same "md5 ($password.$salt):salt" with the user input from the login form to be able to compare it with whats in the db. this would result in the creation of a different salt.. or is there a way to decrypt the db info and change it to plain text so i can compare it with the user input.. 

[ianmac]

When comparing,

get the salt from the database, add it to the password, and md5 hash it.

This value should equal the hashed value stored in the database.

Ian

[v1rax]

the original salt is stored as "hashed password:original salt" in the password field.. how can I get the original salt without getting the hased password too.

Thanks for helping

[ianmac]

Just grab the part after the colon.

Ian

[v1rax]

hey thanks something like this did it!

Code: Select all

    
$result = mysql_query("select password from jos_users where username='$username' limit 1"); 
$passw = explode(":",mysql_result($result,0));
$after_sqlt = $passw[1];