SHA256 encryption

Hey @douweyntema,

A salt is something that may get added to the password to increase security.

Using a SHA256 hash alone is not a particularly secure method of storing password. There’s some information on the main page if you’re interested in learning more.

The specific setting just specifies that, if you are using a salt, does it get added to the beginning or end of the password before the password is hashed.

It’s all completely down to how your external system hashes passwords.

If it is just using SHA256 then you need to use a salt in your settings.

Hope this helps but feel free to come back at me with more questions ??

Thanks, but my external system uses a separate salt for every password, it is stored in a separate field in the user database. I don’t understand why the salt needs to be placed before or after the password? It is already in a separate field.

Hey @douweyntema,

So there are an infinite amount of ways to hash a password, some better than others and some just different.

When your external system stores a password, it will hash it in some way.

You’ve said that every user has their own salt which is good practise.

When a user on your system creates a password your system it will hash in some way. For example, it may:
1) get the user inputted password of ‘monkey’
2) create a random salt for the user ‘abc123’
3) join the password and hash somehow ‘monkeyabc123’ OR ‘abc123monkey’
4) hash the created string of monkeyabc123
5) store the created hash and the used salt in the database

The option we’re discussing chooses (in step 3 above) if the salt goes on the end or the beginning.

This setting is for basic usages. Your external system may be more complex than the basic process described here. If this is the case, you’ll find some information on the hope page FAQ section on how to use a hook to add some logic in for your custom use case.

I’m happy to advise with this but you must first know what the external system you have in place does.

Thanks,

Tom ??

So, now I figured out the plugin is working, because when I log in, my password on WP is changed. But because the hashing method is different from my external system, after the password change by the plugin I cannot login anymore (need password recovery)

I am not familiar with WP, but I am able to do PHP programming. Can you explain which files I need to change in your plugin to make a custom hashing method?
I read the FAQ, but a dead link leads to nothing else.

If you don’t have the correct hash algorithm setup then your password won’t be validated by the plugin and should not update the WordPress user. I would be very surprised if the plugin that changed your password.

You will be blocked from logging in with a username on WordPress if the username exists in the external database and your password was not validated.

If the user does not exist on the external database it will try and log the user in via the WordPress database (unless “disable local login” option is selected).

If you do authenticate correctly. It will store a different hash (using WordPress’ bcrypt hashing algorithm) for the same password in the WordPress database.

This way you can login with both systems with the same password but the hash will appear different.

Regarding the documentation, The details can be found in the hooks question in the FAQ.

https://www.ads-software.com/plugins/external-login/#what%20hooks%20are%20available%20in%20the%20external%20login%20flow%3F

You want the ‘exlog_hook_filter_authenticate_hash’ hook.

You’ll want to copy the code example and paste it in the top of your functions.php file.

Then you can change the logic within the function for your specific hashing use case.

Let me know if you have further questions. ??

For me it is the same if the hashing algorithm is not set up correctly, the password is not validated correctly, resulting in beeing blocked from logging in to WordPress

I had to switch of the plugin via PHPMyadmin in the database, before I was able to login to my wordpress site again.

About the hook,

You’ll want to copy the code example and paste it in the top of your functions.php file.

But I cannot find a file called functions.php in the folder structure of the plugin. Where has this file to be created?

I am sorry, I am not familiar with WordPress.

For me it is the same if the hashing algorithm is not set up correctly, the password is not validated correctly, resulting in beeing blocked from logging in to WordPress

Yes this makes sense as described above: “You will be blocked from logging in with a username on WordPress if the username exists in the external database and your password was not validated.”

Without this, if you changed a password for a user on the external system, it would never validate externally but continue to log them in locally with the now outdated password.

But I cannot find a file called functions.php in the folder structure of the plugin. Where has this file to be created?

No this file does not exist in the plugin.

You would not want to modify the code in the plugin as every time there was an update to the plugin it would be wiped.

Instead, WordPress uses a system called hooks that allow you to write custom code snippets outside of the plugin that will be executed at a set point while the plugin is running.

As a beginner to WordPress, the functions.php file is a fine place to put this for now and it exists in the base of your themes folder.

Thanks,

Tom ??

Thanks I will try.

Now I changed my password on WP, so it is different from password on external system (usernames are equal)
I cannot log onto WP.

Via PHPMyadmin I disabled the external plugin, and now I am able to login to WP.

Same as with the previous situation, where username and password are equal on WP and external system. When plugin is enabled, I cannot logon to WP. I guess this is because the hashing on external system is not supported by the plugin, therefore I have to make the hook.

The migration checkbox is not set on the plugin.

If the migration checkbox is checked, I can logon to WordPress, with different or equal passwords on external system.

Hey @douweyntema,

Just checking in to see how you got on implementing the hook? ??

Sorry, but I did not find any time yet to work on it.

But I will try next week.

Thank you

No worries ??

Have a great weekend.

Ok, I have it working now!

Here is the code I inserted in functions.php of my used theme:

/*
    exlog_hook_filter_authenticate_hash

You can use this hook to check if the password is correct in a custom way. For example, if you use a hashing algorithm not supported by the plugin by default.

This hook provides you with a range of different information:
– $password – the password that was typed in at the login screen
– $hashFromDatabase – the hash stored in the database
– $username – the username that was typed in in the login screen
– $externalUserData – the rest of the data retrieved from the external database for the user that was found

Returning true will authenticate the user and returning false will treat them as unauthorised.

*/
function myExlogHashAuthenticator($password, $hashFromDatabase, $username, $externalUserData) {

    $inputPasswordHash  = hash_hmac($externalUserData['user_algo'], $password, $externalUserData['user_salt']);
    if ($inputPasswordHash == $hashFromDatabase) {
        return TRUE;
            } else {
        return FALSE;
    }
}
add_filter('exlog_hook_filter_authenticate_hash', 'myExlogHashAuthenticator', 10, 4);

This code is for logging in via PHP-Fusion. I tested with V8 and I am pretty sure it should also work for V7. I guess it should work with V9 too, but not sure and not tested with V9.

I also tested to insert the code with plugin My Custom Functions, and there it is working also. I am using it with the custom functions plugin now, to avoid the code beeing lost when updating theme.

Thanks for helping me this pointing out. I am going to place this on php-fusion forum as well.

Hey @douweyntema,

That’s great news that you’ve got it working ??

Glad the plugin has been of use to you ??

If you’re happy I’d be grateful if you could write a review or even buy me a beer.

Thanks again and we’ll done for getting it working! ??