4

I am trying to create a login system on the same server in php which creates registration through django.

I have no idea of how django encrypts passwords. The password which I can see in my database are like this:

pbkdf2_sha256$10000$qlzlSSgHottd$5hV9BfLpzyAS62KZhvRyDBnagr1rYf29VbkZbfjipV4=

Now I want to create a login system in PHP which validates using the above hashed specified password . So Please help me out how to create a login system for PHP

Note: The database is already setup and I have thousands of users who are using it I need authentication for a different system which I am building

Improve this question
2
  • Could you post a known cleartext password and string hash so that a supposed answer could be verified? Commented Mar 21, 2014 at 22:31
  • django itself doesn't do anything magical with encryption, as far as I know. Your question is, "what type of encryption is this using?", rather that "how does django encrypt passwords". Commented Mar 21, 2014 at 22:38

5 Answers 5

Reset to default
16

I met the same situation as you did, Prateek, and with some studies, the following codes did what I want, and it's what you want.

<?php
ini_set('display_errors', 'On');
error_reporting(E_ALL);

function make_password($password) {
    $algorithm = "pbkdf2_sha256";
    $iterations = 10000;

    $newSalt = mcrypt_create_iv(6, MCRYPT_DEV_URANDOM);
    $newSalt = base64_encode($newSalt);

    $hash = hash_pbkdf2("SHA256", $password, $newSalt, $iterations, 0, true);    
    $toDBStr = $algorithm ."$". $iterations ."$". $newSalt ."$". base64_encode($hash);

    // This string is to be saved into DB, just like what Django generate.
    echo $toDBStr;
}

function verify_Password($dbString, $password) {
    $pieces = explode("$", $dbString);

    $iterations = $pieces[1];
    $salt = $pieces[2];
    $old_hash = $pieces[3];

    $hash = hash_pbkdf2("SHA256", $password, $salt, $iterations, 0, true);
    $hash = base64_encode($hash);

    if ($hash == $old_hash) {
       // login ok.
       return true;
    }
    else {
       //login fail       
       return false; 
    }
}
?>

The $toDBStr generated in make_password is exactly the same as what you post in this thread, and you can save the string to any database, even keep use the DB created by Django.

And you need to select the string to pass to the verify_Password function to verify if the password is the same as what user inputed.

The above PHP code requires PHP 5.5 to have the hash_pbkdf2 function.

Enjoy it.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

Instead of recreating the hashing process in PHP, you might wanna let Django handle that for you.

Use this script to get hashes from raw passwords:

django_password_hash.py:

import sys
from django.conf import settings
settings.configure()
from django.contrib.auth import hashers
raw_password = sys.argv[1]
try:
    salt = sys.argv[2]
except IndexError:
    salt = None
hash = hashers.make_password(raw_password, salt=salt)
sys.stdout.write("%s\n" % hash)
sys.stdout.flush()
sys.exit(0)

Then call it from PHP, something like this:

<?php
    $password_hash = shell_exec('python /path/to/django_password_hash.py ' . $raw_password . ' ' . $salt);
    // compare the value in $password_hash to database, etc...
    // account for the "\n" at the end of $password_hash

Don't forget http://www.php.net/manual/en/function.escapeshellcmd.php

Improve this answer

5 Comments

This seems reasonable . But the hash generated is different eachtime . so how will i check if the raw_password matches its hash value whihc was hashed earlier
@PrateekChandan True that, I forgot about the salt! So I guess you'll have to extract the salt string from the existing hash, and then use the script (I've updated it to take salt as the second argument)
Certainly, it's a workaround. But with PHP developer, this way still depends on Python, not pure PHP. Hence if we need to do some enhancements or modifications, the way will not work. That's why I re create it by pure PHP, we don't want to be limited by Python.
@DenniesChang I'd say that certainly doing it in PHP is a workaround. Django supports multiple hashing algorithms, some pre-configured but it also allows you to use your own. Additionally, the default algorithm changes (rarely but still) and when this happens you will have both variants in the DB. indeed this has happened (once) since this question was asked. Which means that your answer won't work any more (needs an update), while mine still works 8.5 years later (Django 4.1.3).
@frnhr Sure, if I need that solution depends on python, or I need to combine PHP with python, your suggestion is great. But if I want to use PHP codes to adopt the DB from Django, and deprecate Django without user suffer, your suggestion will be restricted. Moreover, if the developer restrict PHP to execute system command, the feature will not work neither. So, I think your suggestion is great for python developers, but not PHP developers.
2

this function create a django hash in php 7.0+

function create(string $password, $iterations=36000, $algorithm='sha256', $iterations=36000) : string{
    $salt = base64_encode(openssl_random_pseudo_bytes(9));

    $hash = hash_pbkdf2($algorithm, $password, $salt, $iterations, 32, true);

    return 'pbkdf2_' . $algorithm . '$' . $iterations . '$' . $salt . '$' . base64_encode($hash);
}
Improve this answer

1 Comment

The key was 32, true); at the end of the hash_pbkdf2 function.
0

The whole point of encryption (at least for passwords) is that it is, in theory, very difficult to go backwards from some encrypted data to the clear text. However, it seems in this case, the data is left with the annotation of how it was encrypted. It appears to have used SHA256 with a salt of 10000. I'm not a django expert (or an encryption expert), but this seems very relevant: Django Passlib

So for whatever you're implementing, you just need to use the same encryption method.

Improve this answer

Comments

0

the doc should help you

<algorithm>$<iterations>$<sal>$<hash>

so the algorithm used is: pbkdf2 sha256

By default, Django uses the PBKDF2 algorithm with a SHA256 hash

Improve this answer

2 Comments

This is very obvious from the undestanding of passowrds
I want to know how to authenticate a password in php

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.