[TYPO3-core] RFC: Feature Request #7139: Integration of fe_users password encryption

Steffen Kamper steffen at sk-typo3.de
Sun Jan 13 18:30:58 CET 2008 

Hi Masi,

"Martin Kutschker" <martin.kutschker-n0spam at no5pam-blackbox.net> schrieb im 
Newsbeitrag 
news:mailman.1.1200240964.16098.typo3-team-core at lists.netfielders.de...
> Steffen Kamper schrieb:
>> Type: Feature
>>
>> Branches: Trunk only
>>
>> BT reference: http://bugs.typo3.org/view.php?id=7139
>>
>> Problem:
>> fe_users password is only in plain mode
>>
>> Solution:
>>  using a simple flag
>> $TYPO3_CONF_VARS['FE']['passwordType'] = 'plain|md5';
>>
>> authentification takes care and in case of md5 compares to md5-value.
>
> Ok, the var was my idea, but after checking the authentication code I see 
> now that this is wrong.
>
> Below I have tried to make use of the existing 
> $TYPO3_CONF_VARS['FE']['loginSecurityLevel'] and combine it with a new 
> $TYPO3_CONF_VARS['FE']['dbSecurityLevel'].
>
> When $TYPO3_CONF_VARS['FE']['dbSecurityLevel'] is set to "md5" you can 
> either use "normal" (plain text password over the net) or the new "hashed" 
> (straight md5 hash of password without challenge) for 
> $TYPO3_CONF_VARS['FE']['loginSecurityLevel'] (maybe "superchallenged" 
> works as well). Default is "normal" so that you haven't change your FE 
> login forms (and requiring JS on the client side).
>
> t3lib_userauth::processLoginData():
>
> if ($loginSecurityLevel=='normal') {
> ...
> $loginData['uident_hashed'] = (string)md5($loginData['uident']);
> }
> ...
> // password sent as md5 hash without challenge
> elseif ($loginSecurityLevel=='hashed') {
> $loginData['uident_text'] = '';
> $loginData['uident_hashed'] = $loginData['uident'];
> $loginData['uident_challenged'] = '';
> $loginData['uident_superchallenged'] = 
> (string)md5($loginData['uname'].':'.$loginData['uident'].':'.$loginData['chalvalue']);
> }
>
> ...
>
> elseif ($this->security_level=='hashed') {
> $loginData['uident'] = $loginData['uident_hashed'];
> }
>
> t3lib_userauth::compareUident():
>
> case 'hashed':
> case 'normal':
> default:
> if ((string)$loginData['uident'] ===
> (string)$user[$this->userident_column]) {
> $OK = TRUE;
> }
>
> tslib_feuseratuth::start():
>
> if ($TYPO3_CONF_VARS['FE']['dbSecurityLevel']=='md5') {
> $this->security_level = 'hashed';
> // default to plain text password in form
> if (!isset(
> $TYPO3_CONF_VARS['FE']['loginSecurityLevel']
> ) {
> $TYPO3_CONF_VARS['FE']['loginSecurityLevel']
> = 'normal';
> }
> }
>
> Masi
>
> PS: As processLoginData() takes as $loginSecurityLevel parameter it could 
> be possible to have a login form that uses md5 when JS is available but 
> has a plain text fallback.

first: yes, i catched your proposal and did it this easy way, tested and it 
works.
I don't understand what you feel wrong.

now i tried to follow what you've done. You introduced a new flag and set 
loginSecurityLevel to 'hashed'. In userauth there are two existing 
securityLevels, challenged and superchallenged, so this is also new.
// password sent as md5 hash without challenge
so you have to md5 the password before sending, i don't see how. This 
requires at least a JS to do this.

At the end you come to the same result. In my case you don't need any JS. 
And with challenge or superchallenge it works too.

So what is the conclusion?

vg  Steffen

More information about the TYPO3-team-core mailing list