How to verify CS-cart passwords?

jeffshead · July 28, 2012, 12:00am

How can I verify user entered passwords against the ones in the CS-Cart 3.x database?

I've tried all of the following but none work:

while($row = mysql_fetch_array($result)) { $hash = $row['password']; $salt = $row['salt']; } if (md5($password . $salt) == $hash) { $authUser = 'yes';

while($row = mysql_fetch_array($result)) { $hash = $row['password']; $salt = $row['salt']; } if (md5($salt . $password) == $hash) { $authUser = 'yes';

while($row = mysql_fetch_array($result)) { $hash = $row['password']; $salt = $row['salt']; } if (md5(md5($password) . $salt) == $hash) { $authUser = 'yes';

while($row = mysql_fetch_array($result)) { $hash = $row['password']; $salt = $row['salt']; } if (md5(md5($salt) . $password) == $hash) { $authUser = 'yes';

The code below worked with CS-Cart 2.x but it did not have 'salt' in the cscart_users table like CS-Cart 3.x does:

while($row = mysql_fetch_array($result)) { $hash = $row['password']; } if (md5($password) == $hash) { $authUser = 'yes';

[color=#FF0000]UPDATE:[/color]

This works:

if (md5(md5($password) . md5($salt)) == $hash) {

parodius420 · July 28, 2012, 12:00am

Not sure what this does or what you are trying to do?

jeffshead · July 28, 2012, 12:00am

[quote name='parodius420' timestamp='1343451107' post='141695']

Not sure what this does or what you are trying to do?

[/quote]

I'm trying to create a login share script for another system so users with a CS-Cart account can use their credentials to login to the other system. I needed to know how the passwords in CS-Cart are hashed so I can verify the passwords entered by users when they submit the login form on the other system but I already figured it out and updated my original post.

tbirnseth · July 28, 2012, 12:00am

Correct way to do it so that it handles passwords not created in V3 is:

while($row = mysql_fetch_array($result)) { $hash = $row['password']; $salt = $row['salt']; } if( $salt ) $compare_hash = md5(md5($password).md5($salt)); else $compare_hash = md5($password); if( $hash == $compare_hash) $all_is_well = true; else $all_is_well = false;

jeffshead · July 28, 2012, 12:00am

tbirnseth,

Luckily, this is a new project, not an upgrade install but I really appreciate you taking the time to share your wisdom.

Thanks again

If I may ask, have you ever created a login share script for Kayako? I’m at my wit’s end because I’m able to verify the user info from CS-Cart and return the proper XML for Kayako but I can’t get it to work. I’m stuck because I can’t figure out how to troubleshoot. I’m not getting any errors and Kayako just throws the same generic response as when you login with the wrong email or password.

tbirnseth · July 29, 2012, 12:00am

Sorry, no I haven't.

jeffshead · August 10, 2012, 12:00am

I used tbirnseth's way of handling passwords and updated another's Kayako loginshare script so it now works with CS-Cart v.2.x and v.3.x.

You can find it here:

[url=“Kayako 4 LoginShare script - Hints & Modifications - CS-Cart Community Forums”]Kayako 4 LoginShare script - Hints & Modifications - CS-Cart Community Forums