Customer Passwords

[DrByte]

1. You need two pieces of information: the password entered in the browser, and the password already encrypted in the database.

To read the customer's password from the database use this:
SELECT customers_password from customers WHERE customers_email_address = XXXXXXXXXXXX;

2. write a CF version of this:

Code:

  function validateZenPassword($plain, $encrypted) {
    if ($plain !='' && $encrypted !='') {
      $stack = explode(':', $encrypted);
      if (sizeof($stack) != 2) return false;
      if (md5($stack[1] . $plain) == $stack[0]) {
        return true;
      }
    }
    return false;
  }

3. Use the function to determine whether the password is valid or not.
ie: (pseudocode):

Code:

if (validateZenPassword(pwd-from-browser, pwd-from-database) == true)
then loginSuccess
else loginFail

[MunchSoft]

Got it! Here's the code I used to test it:

<cfset encrypted = "dd882845cfebb464c360bb25d9884150:24">
Encrypted: <cfoutput>#encrypted#</cfoutput><br />
<cfset stack = ListToArray(encrypted,":")>
<cfset plain = "Test1234!">
<cfif ArrayLen(stack) eq 2>
<cfset concat = stack[2] & plain>
Added Strings: <cfoutput>#concat#</cfoutput><br />
Hashed Added Strings: <cfoutput>#hash(concat)#</cfoutput>
</cfif>
<br /><br />
<cfdump var="#stack#">

[MunchSoft]

I think I was making it a lot harder than it needed to be. Thank you for your help everyone! Here is the full login process page in case anyone else needs to validate their customer passwords in coldfusion:

Code:

<cfquery name="qVerify"  datasource="mysqlcf_myezcd_store" maxrows="1">
    SELECT    customers_id, customers_email_address, customers_password, customers_group_pricing
    FROM    myezcd_customers
    WHERE    customers_email_address = <cfqueryparam cfsqltype="cf_sql_varchar" value="#form.user_name#">
</cfquery>
<cfoutput>#qVerify.recordcount#</cfoutput>
<cfset stack = ListToArray(qVerify.customers_password,":")>
<cfdump var="#stack#">
<cfset saltplain =  stack[2] & form.user_pass>
<cfoutput>#saltplain# #hash(saltplain)#</cfoutput>

<cfif stack[1] eq hash(saltplain)>
    <cfif qVerify.customers_group_pricing eq 1>
    <!--- This user has logged in correctly, change the value of the session.allowin value --->
    <cfset session.allowin = "True">
    <cfset session.user_id = qVerify.customers_id>
    <!--- Now welcome user and redirect to "members_only.cfm" --->
    <script>
        alert("Welcome user, you have been successfully logged in!");
        self.location="/landing.cfm";
    </script>
    <cfelse>
        <!--- this user logged in correctly, but does not have access to the reseller site (customers_group_pricing ne 1) --->
        <script>
            alert("Invalid Email Address or Password");
            self.location="Javascript:history.go(-1)";
        </script>
    </cfif>
<cfelse>
    <!--- this user did not log in correctly, alert and redirect to the login page --->
    <script>
        alert("Invalid Email Address or Password");
        self.location="Javascript:history.go(-1)";
    </script>
</cfif>

[docfx]

To encrypt a password, call this function, passing the plaintext password to it. This is ONLY needed if you're preparing to save TO the database:

Code:

  function zen_encrypt_password($plain) {
    $password = '';

    for ($i=0; $i<10; $i++) {
      $password .= zen_rand();
    }

    $salt = substr(md5($password), 0, 2);

    $password = md5($salt . $plain) . ':' . $salt;

    return $password;
  }

I have several separate applications (zen, wordpress, a custom classifieds, calendar, etc.) that I'm trying to tie together such that the users have a single login using a single ADDUSER set of scripts. These scripts ask for all the account info required for each application, then seeds them into the various databases.

Thus far, I've gotten everyone to play together EXCEPT zen. I have successfully dropped all the info into zen, but there appears to be something wrong w/ the password encryption. I've incorporated the zen_encrypt_password function, but am getting an 'undefined function: zen_rand()' error.

Where might I locate the zen_rand() function and/or any other functions that it uses?

Alternatively, I suppose I could require the password_funcs.php from inside my adduser script, but I'm still left with the question of where is zen_rand() and what other scripts do I need to require inside my app?

thanks in advance.