Need some custom code changes to the phpBB core simple enough that you feel doesn't require an extension? Then post your request here so that community members can provide some assistance.
NOTE: NO OFFICIAL SUPPORT IS PROVIDED IN THIS SUB-FORUM
I'm using a 3rd party class to allow logging in and account creation from my ASP.NET website. All is well, except for a strange bug that happens on occasion and I can't explain it. I know what my password is... and for any number of reasons I will get logged off, and will not be able to get logged in again even though I know i'm using the correct password.
I checked the password value in the database, and find that it's been rehashed... old value with "$H$9" becomes new pass starting with "$2y$". Does phpbb have some sort of automatic rehashing thing going on?
It's not a bug, phpBB has a cron task that updates password hashes to use a more secure algorithm, You should update your application to use a newer password hashing algorithm instead, $2y$ is for blowfish (bcrypt).
AbaddonOrmuz wrote: ↑Sat Apr 13, 2019 11:50 pm
It's not a bug, phpBB has a cron task that updates password hashes to use a more secure algorithm, You should update your application to use a newer password hashing algorithm instead, $2y$ is for blowfish (bcrypt).
That the intended behaviour of phpBB: whenever a user logs in to phpBB who has a deprecated hash value in the users database (like the ones starting with $H$9), the hash is converted, not reverted, to the current hashing algorithm.
When storing user data in the phpBB user table, you should use the phpBB functions to calculate all relevant values and not some custom coded. It may work for the version of phpBB you developed on, but when version changes, functions and values can change also.
It all makes sense now that I've had time to think it over. I just made a major update to my site and brought all of the registration and authentication over to the .NET side. The old site had it the other way around. I've been able to reduce SPAM to ZERO using .NET. This is a bummer. Thanks for the help.