Topic: pun_hash problem in install.php

when punbb is installed, pun_hash function uses one of md5, shal or mhash algorithms. but once installed, we just use only md5 in check_chookie and pun_cookie functions in functions.php.

This will cause a problem, I think, for when a system has shal or mhash installed, then when we install punbb, the install script uses that algorithm, encrypt password and saves into the database. but after installation we cannot access as a admin user for punbb uses only md5.

so, I think it is better use pun_hash also when we make cookie or change the punbb installation script not using any save md5.

Re: pun_hash problem in install.php

has this actually caused you a problem...

i think the only way this can cause problems is if your server supports sha1 then you downgrade it and it only supports md5?

Re: pun_hash problem in install.php

jacobswell wrote:

when punbb is installed, pun_hash function uses one of md5, shal or mhash algorithms. but once installed, we just use only md5 in check_chookie and pun_cookie functions in functions.php.

You say "we just use". What do you mean? Have you changed the code to only use md5? In that case, why?

"Programming is like sex: one mistake and you have to support it for the rest of your life."

4 (edited by Smartys 2005-03-21 13:03)

Re: pun_hash problem in install.php

Ah, I see where he's confused

setcookie($cookie_name, serialize(array($user_id, md5($cookie_seed.$password_hash))), $expire, $cookie_path, $cookie_domain, $cookie_secure);

$password_hash if you had SHA1 would be SHA1 and THEN would be md5 hashed with the $cookie_seed
In check_cookies

if (!isset($pun_user['id']) || md5($cookie_seed.$pun_user['password']) !== $cookie['password_hash'])

The cookie password hash is md5($cookie_seed.$password_hash)
The check is md5($cookie_seed.$pun_user['password'])
As long as the password is hashed properly in the database (connor is right in that if you have SHA1 passes and then downgrade you're screwed) the check should work

Re: pun_hash problem in install.php

I'm sorry. It's my fault. my php problem and I thought there might be a bug. now I fixed my php problem.