Check IPB Password

[nowimnothing]

I'm posting this in the IPB forum, but it may need to be in the programming forum - i wasn't sure.

I'm writing an application in ASP.NET/C# that i want to be attached to my IPB forum.

By attached, i mean i want to use the same database, and the same set of users/members.

I'm trying to figure out how IPB stores its passwords. I found WHERE they are stored in the members table... and it appears that it is a hash of some variety (md5?) but even knowing my own password, i can't seem to duplicate it properly.

Can anyone help point me in the right direction on this?

Thanks in advance.

[rundkaas]

Hi, nowimnothing, my site is built around the ipb forum login system, so I might be able to answer some questions.

But first what is the problem, checking to see if user is loged in, or to log in a user.

I it is the first part then I can help you, it is the second then I can't help you that much, since I use the forum's login system.

EDIT: I am attactching an striped down version of the code I am using.Class1.zip

I didn't have the source code available, so I decompiled it from the assebly used by my site. It may not compile, and it is far from complete, but hopfuly it will get you on your way.

Edited May 6, 2005 by rundkaas

[nowimnothing]

I was originally thinking that i would just do the login myself... but perhaps this is a better way to do it.

I haven't gotten the chance ot look at your code yet (i'll do that when i get to work) but if it can allow me to do what you say pretty easily - then this might be problem solved even better than i was hoping!

Thanks! and i'll let you know what i figure out after looking at the code.

[nowimnothing]

OK, looked at the code, tested it a bit - easy enough.

So now i just have a question - how do you handle the actual login process.

if they're not logged in... i'm guessing you redirect them to the forum's login page.

do you have a way to tell IPB to redirect them back to yours after logging in, or do they have to do that manually?

[rundkaas]

If you want to do the login yourself then you have a two fold problem.

You have to verify the user

you have to save the passhash and userid to a cookie.

For the first part I can't help you now, but I have done it before, and if you know basic sql it should not pose to great a problem. Just remember to check the input very strictly, and use parameters, if not someone could do an sql injection attack.

As the second part, which is quite simple, this code might help you.

 ? ? ?HttpCookie httpCookie1 = new HttpCookie("member_id", memberID);
 ? ? ?//member id gotten from database query
 ? ? ?DateTime dateTime = DateTime.Now;
 ? ? ?httpCookie1.Expires = dateTime.AddYears(2);
 ? ? ?base.Response.Cookies.Add(httpCookie1);
 ? ? ?HttpCookie httpCookie2 = new HttpCookie("pass_hash", passHash);
 ? ? ?//passhash gotten from database query
 ? ? ?dateTime = DateTime.Now;
 ? ? ?httpCookie2.Expires = dateTime.AddYears(2);
 ? ? ?base.Response.Cookies.Add(httpCookie2);
 ? ? ?base.Response.Redirect("/");//add a more inteligent redirect

[nowimnothing]

really the only part i'm having a problem with right now is how to hash the user's entered password properly to check it against the one stored in the database.

i am guessing that its an MD5 Hash of some variety, but i don't know for sure, and i'm not sure exactly how to convert the password string entered by the user into the proper-encoded byte array that the MD5 hash provider in .NET needs.

Once i get that, i should have all the pieces in place.

can you help me w/ that part?

[rundkaas]

I was stuck there a long time aswell, and no matter what I did, I could not reproduce the hash.

"If you can't go in the front door, try the back".

So what I came up with is to use the md5() function build into mysql.

select * from forumusers where legacy_key == md5(?passhash);
?passhash is a parameter.(this query is reproduced by memory, and is problably not 100% correct, the the core idea is there.

Be advised the hash generated is the same as the legacy key, NOT the passhash to be saved to cookie.

In other words you get the user by comparing to the legacy key. Then if the result is a row, you have the user, and you can now save the passhash to cookie.

The reason there is two hashes, is because the second contains an salt(a random value saved in the convergence table. If then someone got a hold of the hash with salt, it can't be used at other sites where you have used that password(and is using MD5 of course)

[nowimnothing]

taking a quick glance at my table - i don't have anything in my legacy_password field in my database... every user is empty for that.

[Fr3d]

to generate the passwords, ipb generates an md5 hash of it, "salts" it, and then re-hashes the salt. the salt i beleive is stored in ibf_members_extra, but i am not sure. note: it is unique for each user

hope that helps!!

[nowimnothing]

knowing what my own password was, i tried this via the SQL toolkit thing in IPB admin... just to see if i could get it to match. i ran the following query:

SELECT md5(concat(md5('abcdefgh'),'#####'))

where 'abcdefgh' was my password that i knew and '#####' was the salt stored in the members_converge.converge_pass_salt field.

it did not match either the members.member_login_key or the members_converge.converge_pass_hash fields for my user...

ugh, i figured this would be a simple hash or hash and salt that i could duplicate, didn't expect to not be able to discover this...

[rundkaas]

taking a quick glance at my table - i don't have anything in my legacy_password field in my database... every user is empty for that.

585895412[/snapback]

My database was upgraded from 1.3 some time ago, this is probably the reason I have it.

Just go with what prism128 said with one alteration; the salt is in the table: forummembers_converge(as I said before, and remember forum is my prefix)

[rundkaas]

knowing what my own password was, i tried this via the SQL toolkit thing in IPB admin... just to see if i could get it to match. i ran the following query:

SELECT md5(concat(md5('abcdefgh'),'#####'))

where 'abcdefgh' was my password that i knew and '#####' was the salt stored in the members_converge.converge_pass_salt field.

it did not match either the members.member_login_key or the members_converge.converge_pass_hash fields for my user...

ugh, i figured this would be a simple hash or hash and salt that i could duplicate, didn't expect to not be able to discover this...

585895810[/snapback]

he he, its quite simple really! :D

SELECT c.converge_id,c.converge_pass_salt,c.converge_pass_hash,m.name  FROM `forummembers_converge` c, forummembers m WHERE m.name='?username' c.converge_id=m.id and md5(concat(MD5(c.converge_pass_salt),md5('?password'))) =c.converge_pass_hash

remember to md5 both salt and password, concat them, and then md5 the entire lot!

[nowimnothing]

he he, its quite simple really! :D

SELECT c.converge_id,c.converge_pass_salt,c.converge_pass_hash,m.name  FROM `forummembers_converge` c, forummembers m WHERE m.name='?username' c.converge_id=m.id and md5(concat(MD5(c.converge_pass_salt),md5('?password'))) =c.converge_pass_hash

remember to md5 both salt and password, concat them, and then md5 the entire lot!

585896503[/snapback]

ahh yes. hash the salt, put the salt in the front... things i didn't do.

GREAT!

thanks so much for your help, i've got it all working now the way i think it should!

[rundkaas]

ahh yes. hash the salt, put the salt in the front... things i didn't do.

GREAT!

thanks so much for your help, i've got it all working now the way i think it should!

585896573[/snapback]

No problem, hope it works out for you. :)

(if you are wonering how I figured it out, you might concider to read the forum soruce code, if that doesn't help then there is a serious problem)

[nowimnothing]

OK, so i lied.

Its ALMOST working.

My site can read the IPB cookies just fine and knows who is logged in and everything based off the cookie and calls to the database.

My site can read my own cookies that i write if i "log in" via my site (just storing the two cookies).

BUT

the IPB forum doesn't seem to read my cookies, even though they are there. If i log in with the IPB forum, it doesn't even appear to change the cookies, but i finally have access.

Can you think of anything i'm missing?

I'll dig through the code a bit when i get home from work to see if i see anything.

[rundkaas]

Well I have my suspision about what's wrong.

1: you might have some strange settings in your ipb

2: you are saving the wrong values to cookie (I reverted to nothing)

you need to save the member_login_key hash to cookie, not the converge key.

Also remember that sometimes you need to do an cold refresh of an page, as the page might be in cache, I have noticed this problem in both Opera and Firefox.

Note I could not get it to work in Opera(and when I did, firefox and IE didn't)

I added 2 extra cookies (the same as the other 2 but global cookies), not sure what good it did.

login.zip

[nowimnothing]

1) any clue what those weird settings could be? i think everything should be fairly standard

2) i'm positive i'm saving the right values to the two cookies. part of what makes me so positive is that if i log in with my app, then my app recognizes my own cookies. if i log in with the forum, my app recognizes those cookies as well. i'm kinda stumped why that one little piece of the forum recognizing my cookies doesn't work.

i'm not saving the global cookies, i'll give that a try when i get home just to see if it makes a difference.

thanks for all your help so far.