在php中使用django密码进行身份验证

Question

I am trying to create a login system on the same server in php which creates registration through django.

I have no idea of how django encrypts passwords. The password which I can see in my database are like this:

pbkdf2_sha256$10000$qlzlSSgHottd$5hV9BfLpzyAS62KZhvRyDBnagr1rYf29VbkZbfjipV4=

Now I want to create a login system in PHP which validates using the above hashed specified password . So Please help me out how to create a login system for PHP

Note: The database is already setup and I have thousands of users who are using it I need authentication for a different system which I am building

Answer 1

I met the same situation as you did, Prateek, and with some studies, the following codes did what I want, and it's what you want.

<?php
ini_set('display_errors', 'On');
error_reporting(E_ALL);

function make_password($password) {
    $algorithm = "pbkdf2_sha256";
    $iterations = 10000;

    $newSalt = mcrypt_create_iv(6, MCRYPT_DEV_URANDOM);
    $newSalt = base64_encode($newSalt);

    $hash = hash_pbkdf2("SHA256", $password, $newSalt, $iterations, 0, true);    
    $toDBStr = $algorithm ."$". $iterations ."$". $newSalt ."$". base64_encode($hash);

    // This string is to be saved into DB, just like what Django generate.
    echo $toDBStr;
}

function verify_Password($dbString, $password) {
    $pieces = explode("$", $dbString);

    $iterations = $pieces[1];
    $salt = $pieces[2];
    $old_hash = $pieces[3];

    $hash = hash_pbkdf2("SHA256", $password, $salt, $iterations, 0, true);
    $hash = base64_encode($hash);

    if ($hash == $old_hash) {
       // login ok.
       return true;
    }
    else {
       //login fail       
       return false; 
    }
}
?>

The $toDBStr generated in make_password is exactly the same as what you post in this thread, and you can save the string to any database, even keep use the DB created by Django.

And you need to select the string to pass to the verify_Password function to verify if the password is the same as what user inputed.

The above PHP code requires PHP 5.5 to have the hash_pbkdf2 function.

Enjoy it.

Answer 2

Instead of recreating the hashing process in PHP, you might wanna let Django handle that for you.

Use this script to get hashes from raw passwords:

django_password_hash.py :

import sys
from django.conf import settings
settings.configure()
from django.contrib.auth import hashers
raw_password = sys.argv[1]
try:
    salt = sys.argv[2]
except IndexError:
    salt = None
hash = hashers.make_password(raw_password, salt=salt)
sys.stdout.write("%s\n" % hash)
sys.stdout.flush()
sys.exit(0)

Then call it from PHP, something like this:

<?php
    $password_hash = shell_exec('python /path/to/django_password_hash.py ' . $raw_password . ' ' . $salt);
    // compare the value in $password_hash to database, etc...
    // account for the "\n" at the end of $password_hash

Don't forget http://www.php.net/manual/en/function.escapeshellcmd.php

Answer 3

this function create a django hash in php 7.0+

function create(string $password, $iterations=36000, $algorithm='sha256', $iterations=36000) : string{
    $salt = base64_encode(openssl_random_pseudo_bytes(9));

    $hash = hash_pbkdf2($algorithm, $password, $salt, $iterations, 32, true);

    return 'pbkdf2_' . $algorithm . '$' . $iterations . '$' . $salt . '$' . base64_encode($hash);
}

Answer 4

The whole point of encryption (at least for passwords) is that it is, in theory, very difficult to go backwards from some encrypted data to the clear text. However, it seems in this case, the data is left with the annotation of how it was encrypted. It appears to have used SHA256 with a salt of 10000. I'm not a django expert (or an encryption expert), but this seems very relevant: Django Passlib

So for whatever you're implementing, you just need to use the same encryption method.

Answer 5

the doc should help you

<algorithm>$<iterations>$<sal>$<hash>

so the algorithm used is: pbkdf2 sha256

By default, Django uses the PBKDF2 algorithm with a SHA256 hash