We are managing the sales, subscriptions and customer profiles/accounts to our products via WP 4.1. The subscriptions are to products on a separate server with .NET. After a customer makes a purchase on the WP side, we’d like to push the customer account details (i.e. user name, password, etc.) to the .NET application and these credentials will be used to log into the .NET app. The challenge that I’m running into is how to duplicate on the .NET side the same hash method used in WP. I know that WP uses PHPass (http://www.openwall.com/phpass/) to hash the passwords, but there isn’t a library available for .NET.
A couple of questions:
-
Is there an “easy” solution to this, to being able to duplicate the hash method on the .NET side?
-
Is SECURE_AUTH_SALT the salt used for generating the password hash? We have SSL enabled.
One possible solution could be to “degrade” the hash method on the WP side to just a simple MD5 hash using a salt, a method I could then easily duplicate on the .NET side and accomplished as described here How can I change the default wordpress password hashing system to something custom? Thoughts on this?
3 Answers
Here is the library: http://www.zer7.com/software/cryptsharp
And this is “howtouse”:
public override bool ValidateUser(string name, string password)
{
if (string.IsNullOrWhiteSpace(name))
return false;
if (string.IsNullOrWhiteSpace(password))
return false;
// this is just fetching the hash from the WP-database using BLToolkit. You can use any other way to get the hash from db ;)
UserData ud = null;
using (Db db = new Db())
{
db.SetCommand(@"SELECT id, user_pass FROM wp_users WHERE user_login=@user_login AND user_status=0",
db.Parameter("user_login", name)
);
ud = db.ExecuteObject<UserData>();
}
if (null == ud)
return false;
// !!!! HERE IS CHECKING !!!
// LIB USAGE:
return CryptSharp.PhpassCrypter.CheckPassword(password, ud.user_pass);
}
This code is a part of custom MembershipProvider.
