[TYPO3-core] RFC: Feature Request #7139: Integration of fe_users password encryption

Martin Kutschker martin.kutschker-n0spam at no5pam-blackbox.net
Sun Jan 13 17:16:09 CET 2008 

Steffen Kamper schrieb:
> Type: Feature
> 
> Branches: Trunk only
> 
> BT reference: http://bugs.typo3.org/view.php?id=7139
> 
> Problem:
> fe_users password is only in plain mode
> 
> Solution:
>  using a simple flag
> $TYPO3_CONF_VARS['FE']['passwordType'] = 'plain|md5';
> 
> authentification takes care and in case of md5 compares to md5-value.

Ok, the var was my idea, but after checking the authentication code I 
see now that this is wrong.

Below I have tried to make use of the existing 
$TYPO3_CONF_VARS['FE']['loginSecurityLevel'] and combine it with a new 
$TYPO3_CONF_VARS['FE']['dbSecurityLevel'].

When $TYPO3_CONF_VARS['FE']['dbSecurityLevel'] is set to "md5" you can 
either use "normal" (plain text password over the net) or the new 
"hashed" (straight md5 hash of password without challenge) for 
$TYPO3_CONF_VARS['FE']['loginSecurityLevel'] (maybe "superchallenged" 
works as well). Default is "normal" so that you haven't change your FE 
login forms (and requiring JS on the client side).

t3lib_userauth::processLoginData():

if ($loginSecurityLevel=='normal') {
	...
	$loginData['uident_hashed'] = (string)md5($loginData['uident']);
}
...
	// password sent as md5 hash without challenge
elseif ($loginSecurityLevel=='hashed') {
	$loginData['uident_text'] = '';
	$loginData['uident_hashed'] = $loginData['uident'];
	$loginData['uident_challenged'] = '';
	$loginData['uident_superchallenged'] = 
(string)md5($loginData['uname'].':'.$loginData['uident'].':'.$loginData['chalvalue']);
}

...

elseif ($this->security_level=='hashed') {
	$loginData['uident'] = $loginData['uident_hashed'];
}

t3lib_userauth::compareUident():

case 'hashed':
case 'normal':
default:
	if ((string)$loginData['uident'] ===
		(string)$user[$this->userident_column])	{
			$OK = TRUE;
	}

tslib_feuseratuth::start():

if ($TYPO3_CONF_VARS['FE']['dbSecurityLevel']=='md5') {
	$this->security_level = 'hashed';
		// default to plain text password in form
	if (!isset(
		$TYPO3_CONF_VARS['FE']['loginSecurityLevel']
	) {
		$TYPO3_CONF_VARS['FE']['loginSecurityLevel']
			= 'normal';
	}
}

Masi

PS: As processLoginData() takes as $loginSecurityLevel parameter it 
could be possible to have a login form that uses md5 when JS is 
available but has a plain text fallback.

More information about the TYPO3-team-core mailing list