DEPRECATION WARNING
This documentation is not using the current rendering mechanism and is probably outdated. The extension maintainer should switch to the new system. Details on how to use the rendering mechanism can be found here.
EXT: KB MD5 FE Passwords¶
| Author: | Kasper Skårhøj |
|---|---|
| Created: | 2002-11-01T00:32:00 |
| Changed: | 2005-12-04T21:01:42 |
| Author: | Kraft Bernhard |
| Email: | kraftb@gmx.net |
| Info 3: | |
| Info 4: |
EXT: KB MD5 FE Passwords¶
Extension Key: kb_md5fepw
Copyright 2000-2002, Kraft Bernhard, <kraftb@gmx.net>
This document is published under the Open Content License
available from http://www.opencontent.org/opl.shtml
The content of this document is related to TYPO3
- a GNU/GPL CMS/Framework available from www.typo3.com
Table of Contents¶
EXT: KB MD5 FE Passwords 1
Introduction 1
What does it do? 1
Adminstration 1
Configuration 2
Known problems 2
To-Do list 2
Changelog 2
Introduction¶
What does it do?¶
This extension extends a few core functionalities and two extensions so MD5 Frontend User Passwords can be used all along the way.
First MD5 hashed Passwords get transmitted when registrating frontend users via the core “feuser_admin” extension. Some modifications need to be made to the Registration templates for activating the md5 encryption. See the example in the “res” directory of the extension. The default template gets automatically set to this new template. The registration is the most insecure way of the complete FE user transaction as the password gets transmitted over the line and everybody can read it. Althoug it is MD5 hashed and thus not human readable one can use it to log in as the user from which he got the MD5 hash. It's just a little bit more complicated for him. Too make the Registration secure either use HTTPS or have a look out for the soon released extension “kb_secfeureg”. An extension which makes it possible to encrypt the send password with means of assymetric public/private key encryption.
The second part which gets extended is the login process. There are currently two widely used login mechanisms for Typo3. The default login box which is included in the core and the “newloginbox” extension. For both of them code has been implemented so the entered passwords get transmitted “superchallenged”.
“Superchallenged” means that the password gets MD5 hashed then concatenated with some other values (in our case the username and a random challenge string) and MD5 hashed again. By bringing in a random challenge string we ensure that the string which gets sent along is different each time you log in. A malicious user can't log in with the same challenged-password/username/challenge combination again as the challenge is stored in database and just valid for one login.
You will notice that the BE form when you edit a FE User has changed. Now the type of the Password field is “password” and you can't see the password anymore.
Adminstration¶
You will need to install this extension after any extension it should extend. So if you want to use the “feuser_admin” registration process so MD5 enrypted password are stored then install this extension after “feuser_admin”
The same is true if you want to use the extension “newloginbox”. Just install this after that :).
The feature “Forgot password” of the “feuser_admin” and the “newloginbox” has changed so that if the user requests that the password is sent to him a new password gets generated, stored in the database and sent to the user. This is necessary because the original user password can't be recovered from the MD5 hash.
Configuration¶
The newloginbox will work wihout any changes necessary.
The core login box will just work properly if the “newloginbox” extension isn't installed.
For the frontend user registration to work properly you will need to make some modifications to your HTML template. There is a example HTML template in the “res” directory of this extension. There are only minor changes. The only thing which need to be done is that the “enc_form” JavaScript has to get added and a onSubmit function to the form.
Language Labels¶
The language labels of the newloginbox extensino where slightly modified so the new behaviour that the old passwords can't get sent to the users but new passwords must get generated gets reflected (The word “new” was added in the label) This labels can be modified via TS.
Example:
plugin.tx_newloginbox_pi1._LOCAL_LANG {
default {
forgot_password_pswmsg (
Your new password
Hi %s
Your username is: %s
Your newly reseted password is: %s
)
de {
forgot_password_pswmsg (
Ihr Neues Passwort
Hallo %s
Ihr Benutzername ist: %s
Ihr neu gesetztes Passwort ist: %s
)
}
}
Known problems¶
None at the moment
To-Do list¶
Nothing at the moment
Changelog¶
Version¶
a
Version
b
Release Date
c
Changelog
0.0.0¶
a
0.0.0
b
2005-01-23, 02:30 CET
c
Initial release
0.1.0¶
a
0.1.0
b
2005-02-09, 20:45 CET
c
Use hooks in the “newloginbox” extension. Kindly provided by Ingmar Schlecht. Works with newloginbox 2.2.9 and above.
0.1.1¶
a
0.1.1
b
2005-02-22, 20:00 CET
c
Fixed a bug in the default template for the fe-user registration (Missing </script> tag)
0.1.2¶
a
0.1.2
b
2005-02-20, 16:00 CET
c
Made the Language Labels configurable via TS
0.1.3¶
a
0.1.3
b
2005-04-04, 15:00 CET
c
Fixed a missing tag in pi1/class.tx_kbmd5fepw_newloginbox.php. Thanks for pointing this out go to Sylvain Viart
0.1.4¶
a
0.1.4
b
2005-06-17, 16:45 CET
c
Documentation was missing since last upload. Added it again.
0.2.0¶
a
0.2.0
b
2005-09-15, 20:30 CET
c
- Changed the hooks. Tought I already fixed that but was wrong in actual version.
- Changed language labels double quotes to single quotes. Double quotes were replaced by their html entities in the plaintext forgot password mails.
- Compatible to TYPO3 3.8.0
0.2.1¶
a
0.2.1
b
2005-11-09, 15:30 CET
c
Fixed a bug in the templates
0.3.0¶
a
0.3.0
b
2005-12-04, 21:00 CET
c
Removed the XCLASS for class.t3lib_feuserauth.php. Now this action get's performed by a TYPO3 service class which much better interacts with the T3 framework.
EXT: KB MD5 FE Passwords - 2