Camen Design Forum

logging in as a member to a locked forum

Martijn

When you add usernames to the members file, these have to be *existing* usernames. Someone has to have created them with a password already. Normally a user is created when they post for the first time, but if you only have a locked board there is no way for them to do that so you are stuck.

Every user gets 1 file containing a cryptographic hash of their password in the users folder. If you have no users except for your admin user, there should only be a file called `c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec.txt` in there.

Lines 189 to 198 of `start.php` show you how this file is made: https://github.com/Kroc/NoNonsenseForum/blob/master/start.php#L189-L198

%
        //users are stored as text files based on the hash of the given name
        $name = hash ('sha512', strtolower (NAME));
        $user = FORUM_ROOT.DIRECTORY_SEPARATOR.FORUM_USERS.DIRECTORY_SEPARATOR."$name.txt";
        
        //create the user, if new:
        //- if registrations are allowed (`FORUM_NEWBIES` is true)
        //- you can’t create new users with the HTTP_AUTH sign in
        if (FORUM_NEWBIES && !isset ($_SERVER['PHP_AUTH_USER']) && !file_exists ($user))
                file_put_contents ($user, hash ('sha512', $name.PASS)) or require FORUM_LIB.'error_permissions.php'
        ;
%

The filename is an sha512 hash of the username (all lowercase) and the file is filled with an sha512 hash of the hashed username and the password. As an example, if my username is `Glyn` and my password is `password` I get the following:

1. The lowercase version of `Glyn` is `glyn`.
2. The sha512 hash of `glyn` is `558be438d3dba9c9fb30c3d517bc21f0da2fad4128198a4a23e12a58798c969da18c2910dc299dcf6619458dc0957aabddf3694376c9c70653975a8380e7c576`.
3. Adding the password (`password`) to the username hash gives us `558be438d3dba9c9fb30c3d517bc21f0da2fad4128198a4a23e12a58798c969da18c2910dc299dcf6619458dc0957aabddf3694376c9c70653975a8380e7c576password`.
4. The sha512 hash of the combined string in step 3 is `191819174d7f8f1c69a5008a230e0a0ca76ec89b3231335e01779299ad93452c5aa353f8d3698a90ac3a6be50e689353cb9579ed3ddeb6d101b1c20dce9740f8 `.
5. Create a file `558be438d3dba9c9fb30c3d517bc21f0da2fad4128198a4a23e12a58798c969da18c2910dc299dcf6619458dc0957aabddf3694376c9c70653975a8380e7c576.txt` in the users folder, with its sole contents the hash from step 4: `191819174d7f8f1c69a5008a230e0a0ca76ec89b3231335e01779299ad93452c5aa353f8d3698a90ac3a6be50e689353cb9579ed3ddeb6d101b1c20dce9740f8`

You can do this manually using any sha512 website, I used http://hash.online-convert.com/sha512-generator now as it was the first hit I got on a search-engine. It would probably go faster if you know how to use a commandline solution like openssl.

I hope that helps!

Append

(Leave this as-is, it’s a trap!)

Only the original author or a moderator can append to this post.

Pro tip: Use markup to add links, quotes and more.

Your friendly neighbourhood moderators: Kroc, Impressed, Martijn