生成user_password phpBB

Question

I have a gameserver running on the same server as a phpBB forum.

I want to make users verify their identity to the gameserver by entering their phpBB username and password.

I know how to do this with their username (simply get their username and compare it to the 'username' field in the SQL database.)

However, I'm not sure how to encrypt the entered password so that I can compare it to the 'user_password' field. If it requires md5, I'd prefer to use the md5() function in SQL but I can do it outside of SQL.

Answer 1

Apparently, phpBB uses phpass for its password management. That's actually quite good, as it means that there's a good chance you're using a standard password hashing algorithm like bcrypt under the covers. Bcrypt is considered to be very strong.

To work out whether a password matches a bcrypted hash, you (logically) retrieve the encoded hash string, get the cost parameter and salt out of it, and then see if (when you apply the bcrypt algorithm to the submitted password, the cost and the salt) it results in the same actual hash bytes as you retrieved. It's computationally expensive (and the hashing algorithm itself is tricky if you're implementing from scratch, which it is suggested you don't do) but it's not logically all that complicated to the outside world.

It might be worthwhile putting the code to do the verification in PHP and doing the verification by a local web service call, since then you can easily leverage the existing code (like that, you can definitely match what the user credential handling is). Probably make it be a page that just returns the “current” user name after processing a log in, and make the client of this not maintain session state. (That should be trivial.) You might need to think in terms of locking the page from access from off the machine, and adding some sort of rate limiting too (eg, only one response per user from this special page per 10 seconds) as that makes impractical all sorts of nasty tricks.