[TYPO3-core] RFC: Feature Request #7139: Integration of fe_users password encryption

[Steffen Kamper]

"Ingmar Schlecht" <ingmar at typo3.org> schrieb im Newsbeitrag 
news:mailman.1.1200350825.12442.typo3-team-core at lists.netfielders.de...
> Hi Steffen,
>
> Steffen Kamper wrote:
>> the biggest problem for me is the JS for the BE. Looking to md5.js it's 
>> not an easy task
>
> If it's only the JS - no problem, I guess Benni, Ingo or I can help you 
> with that. It'll probably be a 5 minutes thing (only the JS part), so just 
> ignore it for now and assume you'd have a string in the DB like shown in 
> my example with md5 and the random string separated by @.
>
> cheers
> Ingmar
>
> -- 
> Ingmar Schlecht
> TYPO3 Association Active Member

Ok. I had a first look to that. There are some issues have to be respected.

- method for salted password compare should be general in 
t3lib_userauth::compareUident to have no doublecoding for the same method 
(BE & FE)
- method for generate salt should be a static method, maybe t3lib_div, as 
it's needed in tceforms and other places. I like Ingmars+Dmitry's proposal 
to generate it the way
$saltKey = uniqid('',true);
$password = (string)md5($password . $saltKey) . '@' . $saltKey;

- to seperate methods for BE & FE 2 new config vars should be created, eg
$TYPO3_CONV_VARS['BE']['useSaltKey'] = true;
$TYPO3_CONV_VARS['FE']['useSaltKey'] = true;

or should it be like the configvar i introduced in this patch to have three 
states
$TYPO3_CONF_VARS['FE']['passwordType'] = 'plain|md5|salt';
Then it would make sense to use the same for BE (without plain)
$TYPO3_CONF_VARS['BE']['passwordType'] = 'md5|salt';

- i'm not sure what happens with challenged/superchallanged, as they should 
also use saltKey if set.

I think it would be the best to make it for both BE/FE in one task as 
methods overlap.

vg  Steffen