Camen Design Forum

logging in as a member to a locked forum

append delete glyn

I have set up forum with a "locked.txt" file ("posts") and a "members.txt" file with a list of usernames. But when I try to sign in using one of the usernames I get a login dialogue ("Authentication required") with my own (admin) name pre-enterd. If I overwrite this with one of my listed usernames and a password it will not accept any of them, but reverts every time to my own (admin) user name. I'm guessing that I have to change something on my host server but I'm at a loss as to what. An y hints gratefully received.

Reply RSS


append delete #1. Martijn

Did you already make the users? Either by posting somewhere else on the forum or by manually creating the user file?

append delete #2. glyn

No. It's not clear to me how I would do either of these. As it stands I can't post except in my own name. Creating the user file manually sounds like a solution but I'd appreciate instructions! Many thanks for your speedy response.

append delete #3. Martijn

When you add usernames to the members file, these have to be *existing* usernames. Someone has to have created them with a password already. Normally a user is created when they post for the first time, but if you only have a locked board there is no way for them to do that so you are stuck.

Every user gets 1 file containing a cryptographic hash of their password in the users folder. If you have no users except for your admin user, there should only be a file called `c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec.txt` in there.

Lines 189 to 198 of `start.php` show you how this file is made:

        //users are stored as text files based on the hash of the given name
        $name = hash ('sha512', strtolower (NAME));
        //create the user, if new:
        //- if registrations are allowed (`FORUM_NEWBIES` is true)
        //- you can’t create new users with the HTTP_AUTH sign in
        if (FORUM_NEWBIES && !isset ($_SERVER['PHP_AUTH_USER']) && !file_exists ($user))
                file_put_contents ($user, hash ('sha512', $name.PASS)) or require FORUM_LIB.'error_permissions.php'

The filename is an sha512 hash of the username (all lowercase) and the file is filled with an sha512 hash of the hashed username and the password. As an example, if my username is `Glyn` and my password is `password` I get the following:

1. The lowercase version of `Glyn` is `glyn`.
2. The sha512 hash of `glyn` is `558be438d3dba9c9fb30c3d517bc21f0da2fad4128198a4a23e12a58798c969da18c2910dc299dcf6619458dc0957aabddf3694376c9c70653975a8380e7c576`.
3. Adding the password (`password`) to the username hash gives us `558be438d3dba9c9fb30c3d517bc21f0da2fad4128198a4a23e12a58798c969da18c2910dc299dcf6619458dc0957aabddf3694376c9c70653975a8380e7c576password`.
4. The sha512 hash of the combined string in step 3 is `191819174d7f8f1c69a5008a230e0a0ca76ec89b3231335e01779299ad93452c5aa353f8d3698a90ac3a6be50e689353cb9579ed3ddeb6d101b1c20dce9740f8 `.
5. Create a file `558be438d3dba9c9fb30c3d517bc21f0da2fad4128198a4a23e12a58798c969da18c2910dc299dcf6619458dc0957aabddf3694376c9c70653975a8380e7c576.txt` in the users folder, with its sole contents the hash from step 4: `191819174d7f8f1c69a5008a230e0a0ca76ec89b3231335e01779299ad93452c5aa353f8d3698a90ac3a6be50e689353cb9579ed3ddeb6d101b1c20dce9740f8`

You can do this manually using any sha512 website, I used now as it was the first hit I got on a search-engine. It would probably go faster if you know how to use a commandline solution like openssl.

I hope that helps!

append delete #4. glyn

Thank you so much, Martijn, that's brilliantly clear. But I fear it may rule out for my purposes an otherwise very neat resource - unless, as you say, I can come up with a faster way of creating the user files. Ah well...

append delete #5. Martijn

Just create a non-locked sub-forum to post in? Any time you make a post, an account is created for the username you used.

Another thing you can try is to remove `&& !isset ($_SERVER['PHP_AUTH_USER']) ` from line 196 of `start.php`, making it:

        if (FORUM_NEWBIES && !file_exists ($user))

Then you should be able to create accounts just by logging in to the locked forum. Though I have never tested what impact that may have.


(Leave this as-is, it’s a trap!)

There is no need to “register”, just enter the same name + password of your choice every time.

Pro tip: Use markup to add links, quotes and more.

Your friendly neighbourhood moderators: Kroc, Impressed, Martijn