[eluser]WanWizard[/eluser]
The salt is stored in the user record at the moment, it is generated when the user record is created, or regenerated when the user changes the password.
We thought about storing the salt elsewhere, but imho the benifit is negligible, if a hacker can get in to the level that he has access to the database tables, he probably has access to all other data as well...
This is the code used in the local authentication module of ExiteCMS:
Code:
// attempt to get the user info
$user = $this->fetch( array('name' => set_value('auth_local_username') ) );
// a user found? then use the salt (if present) and check the password
if ( $user->id )
{
// check if this is an MD5 or SHA1 password hash
if ( strlen($user->password) == 32 )
{
if ( ! empty($user->password_salt) )
{
// encode the password
$password = md5(md5(set_value('auth_local_password')).$user->password_salt);
}
else
{
// encode the password
$password = md5(md5(set_value('auth_local_password')));
}
}
else
{
if ( ! empty($user->password_salt) )
{
// encode the password
$password = sha1(set_value('auth_local_password').$user->password_salt);
}
else
{
// encode the password
$password = sha1(set_value('auth_local_password'));
}
}
// does the encoded password match?
if ( $password === $user->password )
{
// update the password to a SHA1 hashed password if needed
if ( strlen($user->password) == 32 )
{
// generate a random salt for this password
$user->password_salt = md5(microtime(TRUE));
// create the new password hash
$user->password = sha1(set_value('auth_local_password').$user->password_salt);
}
// we have a valid login. update the last_visit timestamp
$user->lastvisit = now();
$user->save();
}
else
{
// no match
$user = $this->rbac->library->rbac->_dummy_user('guest');
}
}
// user record found?
if ( ! $user->id )
{
// no. logon failed, show an error message and signal failure
$this->exitecms->message( $this->self->lang->line('authentication_account_unknown'), MSG_ERROR );
}
