Monday, October 14, 2013

9:53 AM
A few months back we were rebuilding an existing site; the mandate was to use PHP for the upcoming release, but the existing site used Ruby on Rail’s RESTful Authentication gem to encrypt user passwords against a unique salt. Each user had both an encrypted password and a salt value that was being updated every time the user successfully logged in. Pretty smart.

Our problem was that we had to re-create the hashing of the user’s password so existing users could log into the site using their old password. With the code below, we are able to hash the user’s entered password in the same way that the Rails app did, allowing authentication to function properly in the new application. Fortunately the existing application used the default hashing method (we didn’t have access to the old site’s source code), so it was just a matter of digging around GIT to understand how the hashing process worked.

// $salt variable as retrieved from user's row based on supplied email address
$salt = '36493cef361b8b180863fe3e2685473f676359df';

$password = $_POST['password'];

//NOTE: this assumes a default Restful Auth setup
$password = sha1('--' . $salt . '--' . $password . '--');

//supplied password should now match encrypted database value if entered correctly