The password field is hashed in the SMF db, and there is also a salt field stored in the DB. Reading through the SMF code and documentation however I can not see how that salt field is used, as all of the hashing through SHA-1 that I've seen in the code uses the current session as a salt value (I may be wrong on this I'm not up to date on website security best practices and procedures).
This seems to be a topic which has been touched on a few times in the past couple of years (2007 and 2009), but I'm having trouble finding a specific fix.
What I'm attempting to do is use the SMF database as the authentication DB for Moodle and having no success. I've selected external database, I'm connecting to it properly (because if I change the parameters to test it shows can not connect to database until I correct them), but the hashed passwords do not match.
The auth.php file in the auth/db/ folder incorrectly runs the sha1 hashing. While I was looking up how Media Wiki has integrated sha1 and SMF with tight logins I found that where Moodle writes it as:
$extpassword = sha1($extpassword);
the correct implementation is actually:
$extpassword = sha1(strtolower($username) . $password);
This will not work the way it is written, pretty much ever against any other sha1 db because of the stripslashes being run against $username and $password in the beginning of the function user_login
Thank You James!!!!
Works with the member tables for SMF2.0RC3 also
This had about driven me nuts. Knew it was the hash, but couldn't figure it out.
The 'stated' ability to drive from another data base was one reason I chose Moodle for
a limited application related to the forum site. Was about to give up the attempt.
helped me too
also would appreciate any ideas re if there is a way to auto log in from smf , without having to log in again in moodle?