Hey, I've been using the WordPress integration method described here which worked wonderfully. However, as of 2.5, WordPress now uses phpass and salts the hashes, as well as encrypts cookies (Described here towards the bottom). I've already tried to figure out how to modify the implementation but I just can't figure it out. I believe I have to use either wp_hash_password or wp_check_password. I don't care if the auto-authentication works (It might not because that involved cookies, and WordPress changed the way it does cookies). There is a plugin to revert to the original plain md5 hashing method here here, but I would prefer the extra layer of security. Here are the definitions of wp_check_password() and wp_hash_password().
I would appreciate if anyone has any answers or could help in any way with this, as I would like to keep Vanilla forums. I don't mind doing this myself, I just need some type of guidance. SirNot, please help :(
I forgot to mention. To use WordPress functions such as the ones I mentioned earlier, wp_check_password() and wp_hash_password(), one must follow the procedure outlined here. This will allow one to call functions as if they were working on WordPress files themselves.
@rmccue: If you do write one eventually, please let me know! I'd be glad to help if you need anything, by the way.
I'm currently using the plugin to store passwords with md5 encryption.
You need to login from wordpress at least one time to let it create the "secret" option that is the secret salt (or at least verify that the option exists!).
You need to specify a $Configuration['WP_SECRET_KEY'] to match exactly the SECRET_KEY defined in wp-config.php
This is highly experimental!
The previous version uses two cookies, one to store the plain username and one to store che double-md5-ed password. So to get the identity it verifies the stored username and password with the ones in the cookies. In this version as long as I've got this right it uses only one cookie to store a string made by the username, the expiration time (I've set this to one hour) and a hash. So Vanilla has to verify this hash. I'm concerned to not weak the security in a way I've not understood, so, please, may you confirm this?
I've set up a gdoc with the source, but tell me if there is a better way to share it (I can send the source to Mark if needed).
Typically I just spent the morning doing precisely the same thing as micz.. Should've checked here first! This is working fine on my site in conjunction with the MD5 Password Hashes plugin.
Our implementation is pretty much the same - cheap and cheerful copy-paste of the auth functions from pluggable.php in wordpress.. I suppose it's somewhat reassuring that two people independently came out with the exact same solution.
You're right we've done the same thing: fast and effective. :) I've only forgotten to remove a couple not used variables from the custom version of the file I'm using in my webapp.
So I assume that this is the right way and we're not weakening the wp security.
So I assume that this is the right way and we're not weakening the wp security.
Yes, this is the absolute wrong way to do it. The password hashing was changed to be more resilient to cracking by using HMACs and this plugin reverts it to the old behaviour. The real way to do it would be to use the actual new functions as part of WP.
Yes rmccue, you're right. But I was only referring to the new cookie management. I know using that plugin (I didn't write) is reverting to the old md5 password system.
The code I and mafro wrote is about the way Wordpress 2.5 is using the cookie to mantain the authentication and my concern was only about that.
I think you can use the wp login form with the new passowrd system and, after the authentication, with the modified WordpressAuthenticator file, the user should still logged into vanilla. I've not tested it thought.
I hope someone will come out with the modification you need.
I have set up my site using micz script, and installed the md5 hashes plugin in WP.. It won't work though - i can easily share the user database as usual, but cookies won't work. When i have logged in in WP i am not logged in in Vanilla, and as soon as i log in the other place, i am logged out the other.
Any idea what i am doing wrong, or how i can fix it?
have you checked if in your wp option table there is the "secret" option? Have you specified a $Configuration['WP_SECRET_KEY'] to match exactly the SECRET_KEY defined in wp-config.php?
Fantastic! Works now! Weird enough the secret in wp_options was different from the one in wp-config and vanilla :) changed to let them all match, and it works!
@micz: Thanks man I really appreciate it. I noticed that you are using the MD5 hash plugin for WordPress. This is great since it at least works, but it'd be better if we could make use of the new security features in WordPress. Someone was kind enough to provide a working fix for the WordPress to phpBB3 bridge, WP-United. I think that the method they used could be implemented into the Vanilla bridge. What I mean by this is we can see how they modified the existing code (Since it operated in the same manner as this bridge, the whole hashing of passwords, storing of cookies, etc.) and modify ours respectively. I will try to do this myself but I don't know just how right I could do it. I have provided you with the information you'll need though, I believe.
Thanks again micz, I really appreciate even this fix. I would definitely appreciate a fix that makes use of the new features though. Like I've said, to be able to use the WordPress functions, you'll want to do what is outlined here.
To be honest I dont think it's really necessary to use the new password hashing scheme, ok so it's more secure against brute force attacks (rainbow tables etc..) should anyone get access to your DB, but most of the security benefits already exist via the port of the new cookie management protocol and the use of a salt on the hash.
Most of every site on the internet written in PHP will use md5 hashed passwords. For future development it makes sense to use phpass - but I wouldnt really worry about it for your WP/Vanilla homepage.
Alright then. So the fix that micz provided is mainly to fix the cookie handling? Because it seems that why (Else why still use the MD5 Hash plugin). I'm fine with that, it's working perfectly fine now (When I go to the forums I am logged in). Thanks.
This modification will not work with Wordpress 2.5.1, because some core functions are little different in this version. I hope to find soon the time to update the code.