Jump to content

Prestashop 1.7.6 customer login password encryption


Paul Albers

Recommended Posts

Hello,
I'm developing an app for prestahop but i'm stuck at the customer login part. I can not find how the password is being encrypted the match the password in the database. I tried a lot of things such as combining the cookie_key with the password in md5 and bcrypt but noting looks like what is stored in the database. Anyone an idea?

Thanks!

Paul

Link to comment
Share on other sites

Thanks,
Already found that but it's bit difficult to see how to see what's going on and to translate that part to c#. What I tried was:
Added BCrypt.Net from NuGet.
SaltRevision saltRev = new SaltRevision();
saltRev = SaltRevision.Revision2Y;
string mySalt = BCrypt.Net.BCrypt.GenerateSalt(saltRev);
string hash = BCrypt.Net.BCrypt.HashString(password, saltRev);

But that doesn't work unfortunally. Or am I using it wrong...

Thanks!

Link to comment
Share on other sites

  • 1 year later...
On 3/6/2020 at 11:58 PM, fbenoist.com said:

There are two methods, one with md5, the other with bcrypt. 

$encryptedPassword =  md5(_COOKIE_KEY_.$textPasswd);

or 

$encryptedPassword = password_hash($textPasswd, PASSWORD_BCRYPT);

see https://www.php.net/manual/en/function.password-hash.php 

The bcrypt method doesn't use salt.

Hi

I have  prestashop 1.6  new 1.7  i have change the COOKIE_KEY_  but this is not the problem. 

customer login password don't work

in version 1.7 is much more complicated. In this case it is required to change the way of how correctness of password is checked in prestashop 1.7. This requires core code changes.  

Please to you now this code?

Link to comment
Share on other sites

On 3/6/2020 at 8:44 PM, Paul Albers said:

Hello,
I'm developing an app for prestahop but i'm stuck at the customer login part. I can not find how the password is being encrypted the match the password in the database. I tried a lot of things such as combining the cookie_key with the password in md5 and bcrypt but noting looks like what is stored in the database. Anyone an idea?

Thanks!

Paul

Ηι have you found a solution to this problem?

Link to comment
Share on other sites

35 minutes ago, Crespi said:

Same question as Takis Kamps... we need to know how password is being encrypted...

Thanks!!

As you can see in there source files Tools.php

    /**
     * Hash password.
     * @param string $passwd String to hash
     * @return string Hashed password
     * @deprecated 1.7.0
     */
    public static function encrypt($passwd)
    {
        return self::hash($passwd);
    }

    /**
     * Hash password.
     * @param string $passwd String to has
     * @return string Hashed password
     * @since 1.7.0
     */
    public static function hash($passwd)
    {
        return md5(_COOKIE_KEY_ . $passwd);
    }

Source: https://github.com/PrestaShop/PrestaShop/blob/develop/classes/Tools.php

Link to comment
Share on other sites

Thank you for your response @Crezzur. The problem here is that the "app" that needs the password decrypted is not built using PHP, it is built with ASPNET code. Could you think of a way to decrypt the password without using PHP?

thanks!

Link to comment
Share on other sites

48 minutes ago, Crespi said:

Thank you for your response @Crezzur. The problem here is that the "app" that needs the password decrypted is not built using PHP, it is built with ASPNET code. Could you think of a way to decrypt the password without using PHP?

thanks!

Why not encrypt the inputted password in your ASPNET with md5() and check if the encrypted passwords are equal?

For example encrypted password from prestashop databank = 999ddd222eee

User put in their password in your ASPNET  app for example HeloThisisMyPassword

Run a md5 encrypt on the password HeloThisisMyPassword which will result in 999ddd222eee

When you check the prestashop encrypted password 999ddd222eee it should be equal to the encrypted password in your application.

Link to comment
Share on other sites

Hi again @CrezzurWe had tried to encrypt de password directly  with md5 method, but the result doesn’t match with the one given by the webservice. Some site tell that the encryption should be the cookie_key+password with md5, but it still doesn’t work.

The encrypted password is something like this ‘$2y$10$4oL0UPdA4ULcuiW1P.H6kOmwZVg/6eScuXXXm.mNLUUP26xEkaX5u’

I wish your solution could work.

Link to comment
Share on other sites

14 minutes ago, Crespi said:

Hi again @CrezzurWe had tried to encrypt de password directly  with md5 method, but the result doesn’t match with the one given by the webservice. Some site tell that the encryption should be the cookie_key+password with md5, but it still doesn’t work.

The encrypted password is something like this ‘$2y$10$4oL0UPdA4ULcuiW1P.H6kOmwZVg/6eScuXXXm.mNLUUP26xEkaX5u’

I wish your solution could work.

You need to take the cookie key from you Prestashop file.

for example on your application you have to do it like this (Prestashop 1.7+):

Go to Yourstore\app\config\parameters.php, there you will find a line called like cookie_key

You need to add this value when you encrypt it on your application.

for example:

    'cookie_key' => 'ThisIsMyExtreemLongCookieKey',

Then you have to encrypt it in your application like:

md5('ThisIsMyExtreemLongCookieKey' . 'ThisIsTheCustomerPassword');

 

Because the _COOKIE_KEY_ is created like this in Yourstore\config\bootstrap.php

    // Legacy cookie
    if (array_key_exists('cookie_key', $config['parameters'])) {
        define('_COOKIE_KEY_', $config['parameters']['cookie_key']);
    } else {
        // Define cookie key if missing to prevent failure in composer post-install script
        define('_COOKIE_KEY_', Tools::passwdGen(56));
    }

 

The encryption of a password is done like this in Prestashop:

    /**
     * Encrypt password.
     *
     * @param object $object Object to display
     */
    public static function encrypt($passwd)
    {
        return md5(pSQL(_COOKIE_KEY_ . $passwd));
    }

 

Edited by Crezzur (see edit history)
Link to comment
Share on other sites

  • 9 months later...
  • 1 year later...

Hi,

 

took me a little bit of time to find the right solutions,

so I'll post here also if an old thread.

 

1) solution as fbenoist wrote perfectly:

use PrestaShop\PrestaShop\Core\Crypto\Hashing;
...

$crypto = new Hashing();
$encryptedPassword = $crypto->hash($textPasswd);

problem with this solution is every time it runs my hashing change and everybody are logged out....

....so I found the 2nd:

 

2) solution:

$passwd_crypted = password_hash($plain_password, PASSWORD_BCRYPT);

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...