Auth System

Trustmaster	#23160 2010-02-23 16:57
Administrators Thanked: 265 kez	Yes, the authentication system is a bit complicated. The actual authenticating code (that checks user auth keys) is located in system/common.php at lines 201-311. Here is a brief explanation of how it works. First you login via users.php?m=auth. That script checks your username and password. If the login is successful, it creates the authentication keys, which consist of: User ID Password Hash. This is not just and MD5 hash of the password. It is actually $passhash = md5($rmdpass.$hashsalt); where $rmdpass is an MD5 hash of the password and $hashsalt is a random string that does not let an attacker to get a collision for your password if he has got the $passhash from your cookie If you have chosen "remember me", authentication keys will be saved in cookie variable, otherwise a session variable is used. Variable name is $sys['site_id'], so it's unique for every site: $site_id = 'ct' . substr(md5($cfg['mainurl']), 0, 10); $sys['site_id'] = $site_id; Putting all together, the auth keys are remembered like this: $passhash = md5($rmdpass.$hashsalt); $u = base64_encode($ruserid.':_:'.$passhash); if($rremember) { sed_setcookie($sys['site_id'], $u, time()+$cfg['cookielifetime'], $cfg['cookiepath'], $cfg['cookiedomain'], $sys['secure'], true); } else { $_SESSION[$sys['site_id']] = $u; } Then goes another trick against client side request forgery: the hashsalt is changed every minute. To be more correct, there is a session variable that indicates when the hashsalt was last changed: $_SESSION['saltstamp'] = $sys['now_offset']; If $_SESSION['saltstamp'] is older than 1 minute, the hashsalt is changed during the request. It is changed both in user cookie/session and is also tracked in sed_users table in the column called user_hashsalt. May the Source be with you!

Trustmaster

#23160 2010-02-23 16:57

Yes, the authentication system is a bit complicated. The actual authenticating code (that checks user auth keys) is located in system/common.php at lines 201-311.

Here is a brief explanation of how it works.

First you login via users.php?m=auth. That script checks your username and password. If the login is successful, it creates the authentication keys, which consist of:

User ID
Password Hash. This is not just and MD5 hash of the password. It is actually
```
$passhash = md5($rmdpass.$hashsalt);
```
where $rmdpass is an MD5 hash of the password and $hashsalt is a random string that does not let an attacker to get a collision for your password if he has got the $passhash from your cookie

If you have chosen "remember me", authentication keys will be saved in cookie variable, otherwise a session variable is used. Variable name is $sys['site_id'], so it's unique for every site:

$site_id = 'ct' . substr(md5($cfg['mainurl']), 0, 10);
$sys['site_id'] = $site_id;

Putting all together, the auth keys are remembered like this:

$passhash = md5($rmdpass.$hashsalt);
$u = base64_encode($ruserid.':_:'.$passhash);

if($rremember)
{
	sed_setcookie($sys['site_id'], $u, time()+$cfg['cookielifetime'], $cfg['cookiepath'], $cfg['cookiedomain'], $sys['secure'], true);
}
else
{
	$_SESSION[$sys['site_id']] = $u;
}

Then goes another trick against client side request forgery: the hashsalt is changed every minute. To be more correct, there is a session variable that indicates when the hashsalt was last changed:

$_SESSION['saltstamp'] = $sys['now_offset'];

If $_SESSION['saltstamp'] is older than 1 minute, the hashsalt is changed during the request. It is changed both in user cookie/session and is also tracked in sed_users table in the column called user_hashsalt.

May the Source be with you!