.. You may want to use the usual include line. Uncomment and adjust the path. 
.. include:: ../Includes.txt


========================
EXT: KB MD5 FE Passwords
========================

:Author:
      Kasper Skårhøj

:Created:
      2002-11-01T00:32:00

:Changed:
      2005-12-04T21:01:42

:Author:
      Kraft Bernhard

:Email:
      kraftb@gmx.net

:Info 3:


:Info 4:


.. _EXT-KB-MD5-FE-Passwords:

EXT: KB MD5 FE Passwords
========================

Extension Key:  **kb\_md5fepw**

Copyright 2000-2002, Kraft Bernhard, <kraftb@gmx.net>

This document is published under the Open Content License

available from http://www.opencontent.org/opl.shtml

The content of this document is related to TYPO3

\- a GNU/GPL CMS/Framework available from www.typo3.com

.. _Table-of-Contents:

Table of Contents
-----------------

**EXT: KB MD5 FE Passwords 1**

**Introduction 1**

What does it do? 1

**Adminstration 1**

**Configuration 2**

**Known problems 2**

**To-Do list 2**

**Changelog 2**


.. _Introduction:

Introduction
------------


.. _What-does-it-do:

What does it do?
^^^^^^^^^^^^^^^^

This extension extends a few core functionalities and two extensions
so MD5 Frontend User Passwords can be used all along the way.

First MD5 hashed Passwords get transmitted when registrating frontend
users via the core “feuser\_admin” extension. Some modifications need
to be made to the Registration templates for activating the md5
encryption. See the example in the “res” directory of the extension.
The default template gets automatically set to this new template. The
registration is the most insecure way of the complete FE user
transaction as the password gets transmitted over the line and
everybody can read it. Althoug it is MD5 hashed and thus not human
readable one can use it to log in as the user from which he got the
MD5 hash. It's just a little bit more complicated for him. Too make
the Registration secure either use HTTPS or have a look out for the
soon released extension “kb\_secfeureg”. An extension which makes it
possible to encrypt the send password with means of assymetric
public/private key encryption.

The second part which gets extended is the login process. There are
currently two widely used login mechanisms for Typo3. The default
login box which is included in the core and the “newloginbox”
extension. For both of them code has been implemented so the entered
passwords get transmitted “superchallenged”.

“Superchallenged” means that the password gets MD5 hashed then
concatenated with some other values (in our case the username and a
random challenge string) and MD5 hashed again. By bringing in a random
challenge string we ensure that the string which gets sent along is
different each time you log in. A malicious user can't log in with the
same challenged-password/username/challenge combination again as the
challenge is stored in database and just valid for one login.

You will notice that the BE form when you edit a FE User has changed.
Now the type of the Password field is “password” and you can't see the
password anymore.


.. _Adminstration:

Adminstration
-------------

You will need to install this extension after any extension it should
extend. So if you want to use the “feuser\_admin” registration process
so MD5 enrypted password are stored then install this extension after
“feuser\_admin”

The same is true if you want to use the extension “newloginbox”. Just
install this after that :).

The feature “Forgot password” of the “feuser\_admin” and the
“newloginbox” has changed so that if the user requests that the
password is sent to him a new password gets generated, stored in the
database and sent to the user. This is necessary because the original
user password can't be recovered from the MD5 hash.


.. _Configuration:

Configuration
-------------

The newloginbox will work wihout any changes necessary.

The core login box will just work properly if the “newloginbox”
extension isn't installed.

For the frontend user registration to work properly you will need to
make some modifications to your HTML template. There is a example HTML
template in the “res” directory of this extension. There are only
minor changes. The only thing which need to be done is that the
“enc\_form” JavaScript has to get added and a onSubmit function to the
form.


.. _Language-Labels:

Language Labels
^^^^^^^^^^^^^^^

The language labels of the newloginbox extensino where slightly
modified so the new behaviour that the old passwords can't get sent to
the users but new passwords must get generated gets reflected (The
word “new” was added in the label) This labels can be modified via TS.

Example:

::

   plugin.tx_newloginbox_pi1._LOCAL_LANG {
     default {
       forgot_password_pswmsg (
   Your new password
   Hi %s
   
   Your username is: %s
   Your newly reseted password is: %s
       )
     de {
       forgot_password_pswmsg (
   Ihr Neues Passwort
   Hallo %s
   
   Ihr Benutzername ist: %s
   Ihr neu gesetztes Passwort ist: %s
       )
     }
   }


.. _Known-problems:

Known problems
--------------

None at the moment


.. _To-Do-list:

To-Do list
----------

Nothing at the moment


.. _Changelog:

Changelog
---------

.. ### BEGIN~OF~TABLE ###


.. _Version:

**Version**
^^^^^^^^^^^

.. container:: table-row

   a
         **Version**
   
   b
         **Release Date**
   
   c
         **Changelog**



.. _0-0-0:

0.0.0
^^^^^

.. container:: table-row

   a
         0.0.0
   
   b
         2005-01-23, 02:30 CET
   
   c
         Initial release



.. _0-1-0:

0.1.0
^^^^^

.. container:: table-row

   a
         0.1.0
   
   b
         2005-02-09, 20:45 CET
   
   c
         Use hooks in the “newloginbox” extension. Kindly provided by Ingmar
         Schlecht. Works with newloginbox 2.2.9 and above.



.. _0-1-1:

0.1.1
^^^^^

.. container:: table-row

   a
         0.1.1
   
   b
         2005-02-22, 20:00 CET
   
   c
         Fixed a bug in the default template for the fe-user registration
         (Missing </script> tag)



.. _0-1-2:

0.1.2
^^^^^

.. container:: table-row

   a
         0.1.2
   
   b
         2005-02-20, 16:00 CET
   
   c
         Made the Language Labels configurable via TS



.. _0-1-3:

0.1.3
^^^^^

.. container:: table-row

   a
         0.1.3
   
   b
         2005-04-04, 15:00 CET
   
   c
         Fixed a missing tag in pi1/class.tx\_kbmd5fepw\_newloginbox.php.
         Thanks for pointing this out go to Sylvain Viart



.. _0-1-4:

0.1.4
^^^^^

.. container:: table-row

   a
         0.1.4
   
   b
         2005-06-17, 16:45 CET
   
   c
         Documentation was missing since last upload. Added it again.



.. _0-2-0:

0.2.0
^^^^^

.. container:: table-row

   a
         0.2.0
   
   b
         2005-09-15, 20:30 CET
   
   c
         - Changed the hooks. Tought I already fixed that but was wrong in actual
           version.
         
         - Changed language labels double quotes to single quotes. Double quotes
           were replaced by their html entities in the plaintext forgot password
           mails.
         
         - Compatible to TYPO3 3.8.0



.. _0-2-1:

0.2.1
^^^^^

.. container:: table-row

   a
         0.2.1
   
   b
         2005-11-09, 15:30 CET
   
   c
         Fixed a bug in the templates



.. _0-3-0:

0.3.0
^^^^^

.. container:: table-row

   a
         0.3.0
   
   b
         2005-12-04, 21:00 CET
   
   c
         Removed the XCLASS for class.t3lib\_feuserauth.php. Now this action
         get's performed by a TYPO3 service class which much better interacts
         with the T3 framework.


.. ###### END~OF~TABLE ######

|img-1| EXT: KB MD5 FE Passwords - 2


.. ######CUTTER_MARK_IMAGES######

.. |img-1| image:: img-1.png
.. :align: left
.. :border: 0
.. :height: 32
.. :id: Graphic1
.. :name: Graphic1
.. :width: 102