Prestashop 1.7.6 customer login password encryption

[Paul Albers]

Hello,
I'm developing an app for prestahop but i'm stuck at the customer login part. I can not find how the password is being encrypted the match the password in the database. I tried a lot of things such as combining the cookie_key with the password in md5 and bcrypt but noting looks like what is stored in the database. Anyone an idea?

Thanks!

Paul

[fbenoist.com]

Hi,

Encryption is defined in src/Core/Crypto/Hashing.php

Example of use :

use PrestaShop\PrestaShop\Core\Crypto\Hashing;
...

$crypto = new Hashing();
$encryptedPassword = $crypto->hash($textPasswd);

[Paul Albers]

Thanks,
Already found that but it's bit difficult to see how to see what's going on and to translate that part to c#. What I tried was:
Added BCrypt.Net from NuGet.
SaltRevision saltRev = new SaltRevision();
saltRev = SaltRevision.Revision2Y;
string mySalt = BCrypt.Net.BCrypt.GenerateSalt(saltRev);
string hash = BCrypt.Net.BCrypt.HashString(password, saltRev);

But that doesn't work unfortunally. Or am I using it wrong...

Thanks!

[fbenoist.com]

There are two methods, one with md5, the other with bcrypt. 

$encryptedPassword =  md5(_COOKIE_KEY_.$textPasswd);

or 

$encryptedPassword = password_hash($textPasswd, PASSWORD_BCRYPT);

see https://www.php.net/manual/en/function.password-hash.php 

The bcrypt method doesn't use salt.

[Takis Kamp]

On 3/6/2020 at 11:58 PM, fbenoist.com said:

There are two methods, one with md5, the other with bcrypt. 

$encryptedPassword =  md5(_COOKIE_KEY_.$textPasswd);

or 

$encryptedPassword = password_hash($textPasswd, PASSWORD_BCRYPT);

see https://www.php.net/manual/en/function.password-hash.php 

The bcrypt method doesn't use salt.

Hi

I have  prestashop 1.6  new 1.7  i have change the COOKIE_KEY_  but this is not the problem. 

customer login password don't work

in version 1.7 is much more complicated. In this case it is required to change the way of how correctness of password is checked in prestashop 1.7. This requires core code changes.  

Please to you now this code?

[Takis Kamp]

On 3/6/2020 at 8:44 PM, Paul Albers said:

Hello,
I'm developing an app for prestahop but i'm stuck at the customer login part. I can not find how the password is being encrypted the match the password in the database. I tried a lot of things such as combining the cookie_key with the password in md5 and bcrypt but noting looks like what is stored in the database. Anyone an idea?

Thanks!

Paul

Ηι have you found a solution to this problem?

[Crespi]

Same question as Takis Kamps... we need to know how password is being encrypted...

Thanks!!

[Crespi]

Thank you for your response @Crezzur. The problem here is that the "app" that needs the password decrypted is not built using PHP, it is built with ASPNET code. Could you think of a way to decrypt the password without using PHP?

thanks!

[Crespi]

Hi again @Crezzur. We had tried to encrypt de password directly  with md5 method, but the result doesn’t match with the one given by the webservice. Some site tell that the encryption should be the cookie_key+password with md5, but it still doesn’t work.

The encrypted password is something like this ‘$2y$10$4oL0UPdA4ULcuiW1P.H6kOmwZVg/6eScuXXXm.mNLUUP26xEkaX5u’

I wish your solution could work.

[youcefker]

hello did any one find a solution for this !!

 

[disarci]

Hi,

 

took me a little bit of time to find the right solutions,

so I'll post here also if an old thread.

 

1) solution as fbenoist wrote perfectly:

use PrestaShop\PrestaShop\Core\Crypto\Hashing;
...

$crypto = new Hashing();
$encryptedPassword = $crypto->hash($textPasswd);

problem with this solution is every time it runs my hashing change and everybody are logged out....

....so I found the 2nd:

 

2) solution:

$passwd_crypted = password_hash($plain_password, PASSWORD_BCRYPT);