cryptation

[sertorre]

I need to know the function that Gs use to crypt and decrypet administrato password....
this should be in the core function of Gs ma i can't find it....

TNX

[Zegnåt]

We never decrypt the password. This would make for a very insecure system in Open source because anyone could just look into the function and decrypt any passwords they might find.

The function used to hash the password is passhash() and can be found at line 535 of /admin/inc/template_functions.php. It's a very straight-forward sha1 encryption of your password and a random SALT.

[sertorre]

OK i see, tnx....

so i encript data whit

$cripted_data=passhas($data);
if ($cripted_data==$stored_value) {}


but if salt is random i have the same value????

[Zegnåt]

Yes, the SALT is randomly created when you install GetSimple. So it’s not a new random string every time, but it’s a different random string for each website.

[sertorre]

Yes, the SALT is randomly created when you install GetSimple. So it’s not a new random string every time, but it’s a different random string for each website.

OK i see that's this is correct....

salt value where is saved? becouse if i trasfer datafile in a different website or a new installation i can't certify my old users....

[Zegnåt]

If I’m not mistaking it’s saved in authorization.xml, in an element called apikey.

[sertorre]

If I’m not mistaking it’s saved in authorization.xml, in an element called apikey.

yes you don't mistake....

but value is
<apikey><apikey>

that's no value....

i notice in GSconfig.php
that are defined GSLOGINSALT and GSUSECUSTOMSALT (commented)

and that passhash() check if is defined GSUSECUSTOMSALT or use "null" like salt
and return like crypted password sha1($string,null);

so i'm not so sure that every website had a different salt value...
i think is more simply for me define GSUSECUSTOMSALT in GSCONFIG.PHP