Prestashop 1.7.6 customer login password encryption

[Paul Albers]

Hello,
I'm developing an app for prestahop but i'm stuck at the customer login part. I can not find how the password is being encrypted the match the password in the database. I tried a lot of things such as combining the cookie_key with the password in md5 and bcrypt but noting looks like what is stored in the database. Anyone an idea?

Thanks!

Paul

[fbenoist.com]

Hi,

Encryption is defined in src/Core/Crypto/Hashing.php

Example of use :

use PrestaShop\PrestaShop\Core\Crypto\Hashing;
...

$crypto = new Hashing();
$encryptedPassword = $crypto->hash($textPasswd);

[Paul Albers]

Thanks,
Already found that but it's bit difficult to see how to see what's going on and to translate that part to c#. What I tried was:
Added BCrypt.Net from NuGet.
SaltRevision saltRev = new SaltRevision();
saltRev = SaltRevision.Revision2Y;
string mySalt = BCrypt.Net.BCrypt.GenerateSalt(saltRev);
string hash = BCrypt.Net.BCrypt.HashString(password, saltRev);

But that doesn't work unfortunally. Or am I using it wrong...

Thanks!

[fbenoist.com]

There are two methods, one with md5, the other with bcrypt. 

$encryptedPassword =  md5(_COOKIE_KEY_.$textPasswd);

or 

$encryptedPassword = password_hash($textPasswd, PASSWORD_BCRYPT);

see https://www.php.net/manual/en/function.password-hash.php 

The bcrypt method doesn't use salt.

[Takis Kamp]

On 3/6/2020 at 11:58 PM, fbenoist.com said:

There are two methods, one with md5, the other with bcrypt. 

$encryptedPassword =  md5(_COOKIE_KEY_.$textPasswd);

or 

$encryptedPassword = password_hash($textPasswd, PASSWORD_BCRYPT);

see https://www.php.net/manual/en/function.password-hash.php 

The bcrypt method doesn't use salt.

Hi

I have  prestashop 1.6  new 1.7  i have change the COOKIE_KEY_  but this is not the problem. 

customer login password don't work

in version 1.7 is much more complicated. In this case it is required to change the way of how correctness of password is checked in prestashop 1.7. This requires core code changes.  

Please to you now this code?

[Takis Kamp]

On 3/6/2020 at 8:44 PM, Paul Albers said:

Hello,
I'm developing an app for prestahop but i'm stuck at the customer login part. I can not find how the password is being encrypted the match the password in the database. I tried a lot of things such as combining the cookie_key with the password in md5 and bcrypt but noting looks like what is stored in the database. Anyone an idea?

Thanks!

Paul

Ηι have you found a solution to this problem?

[Crespi]

Same question as Takis Kamps... we need to know how password is being encrypted...

Thanks!!

[delete-account-pleas]

35 minutes ago, Crespi said:

Same question as Takis Kamps... we need to know how password is being encrypted...

Thanks!!

As you can see in there source files Tools.php

    /**
     * Hash password.
     * @param string $passwd String to hash
     * @return string Hashed password
     * @deprecated 1.7.0
     */
    public static function encrypt($passwd)
    {
        return self::hash($passwd);
    }

    /**
     * Hash password.
     * @param string $passwd String to has
     * @return string Hashed password
     * @since 1.7.0
     */
    public static function hash($passwd)
    {
        return md5(_COOKIE_KEY_ . $passwd);
    }

Source: https://github.com/PrestaShop/PrestaShop/blob/develop/classes/Tools.php

[Crespi]

Thank you for your response @Crezzur. The problem here is that the "app" that needs the password decrypted is not built using PHP, it is built with ASPNET code. Could you think of a way to decrypt the password without using PHP?

thanks!

[delete-account-pleas]

48 minutes ago, Crespi said:

Thank you for your response @Crezzur. The problem here is that the "app" that needs the password decrypted is not built using PHP, it is built with ASPNET code. Could you think of a way to decrypt the password without using PHP?

thanks!

Why not encrypt the inputted password in your ASPNET with md5() and check if the encrypted passwords are equal?

For example encrypted password from prestashop databank = 999ddd222eee

User put in their password in your ASPNET  app for example HeloThisisMyPassword

Run a md5 encrypt on the password HeloThisisMyPassword which will result in 999ddd222eee

When you check the prestashop encrypted password 999ddd222eee it should be equal to the encrypted password in your application.

[Crespi]

Hi again @Crezzur. We had tried to encrypt de password directly  with md5 method, but the result doesn’t match with the one given by the webservice. Some site tell that the encryption should be the cookie_key+password with md5, but it still doesn’t work.

The encrypted password is something like this ‘$2y$10$4oL0UPdA4ULcuiW1P.H6kOmwZVg/6eScuXXXm.mNLUUP26xEkaX5u’

I wish your solution could work.

[delete-account-pleas]

14 minutes ago, Crespi said:

Hi again @Crezzur. We had tried to encrypt de password directly  with md5 method, but the result doesn’t match with the one given by the webservice. Some site tell that the encryption should be the cookie_key+password with md5, but it still doesn’t work.

The encrypted password is something like this ‘$2y$10$4oL0UPdA4ULcuiW1P.H6kOmwZVg/6eScuXXXm.mNLUUP26xEkaX5u’

I wish your solution could work.

You need to take the cookie key from you Prestashop file.

for example on your application you have to do it like this (Prestashop 1.7+):

Go to Yourstore\app\config\parameters.php, there you will find a line called like cookie_key

You need to add this value when you encrypt it on your application.

for example:

    'cookie_key' => 'ThisIsMyExtreemLongCookieKey',

Then you have to encrypt it in your application like:

md5('ThisIsMyExtreemLongCookieKey' . 'ThisIsTheCustomerPassword');

 

Because the _COOKIE_KEY_ is created like this in Yourstore\config\bootstrap.php

    // Legacy cookie
    if (array_key_exists('cookie_key', $config['parameters'])) {
        define('_COOKIE_KEY_', $config['parameters']['cookie_key']);
    } else {
        // Define cookie key if missing to prevent failure in composer post-install script
        define('_COOKIE_KEY_', Tools::passwdGen(56));
    }

 

The encryption of a password is done like this in Prestashop:

    /**
     * Encrypt password.
     *
     * @param object $object Object to display
     */
    public static function encrypt($passwd)
    {
        return md5(pSQL(_COOKIE_KEY_ . $passwd));
    }

 

Edited July 9, 2021 by Crezzur (see edit history)

[youcefker]

hello did any one find a solution for this !!

 

[disarci]

Hi,

 

took me a little bit of time to find the right solutions,

so I'll post here also if an old thread.

 

1) solution as fbenoist wrote perfectly:

use PrestaShop\PrestaShop\Core\Crypto\Hashing;
...

$crypto = new Hashing();
$encryptedPassword = $crypto->hash($textPasswd);

problem with this solution is every time it runs my hashing change and everybody are logged out....

....so I found the 2nd:

 

2) solution:

$passwd_crypted = password_hash($plain_password, PASSWORD_BCRYPT);