Authentication account Joomla on ASP.NET applications
Introduction
Browse the article headline, I know some of you have ever studied by Joomla and ASP.NET will be surprised. Because Joomla is developed in PHP language, ASP.NET is a language is different from PHP so much. Otherwise, the environment operate them also diffirent, PHP running on Linux, ASP.NET on Windows operating system.
Two months ago, I have developed a website as follows: This website uses Joomla and have run a few months – this means the database has articles, topics, categories, members, vote, feedback,…. The website owner want to change “the face” of this site (Front-End) but keep the admin (Back-End). Of course, the database must also be retained always. they want the Front-End was write by ASP.NET technology.
At that time, I think this is an easy project (so subjective feeling) because I haven’t waste several time to write the Back-End. Indeed, I only take roughly a month to finish writing the request. But suddenly the time near the end, I realized the problem is: how users, administrators, can log into the website? Of course for administrators, they may not need to log in main page, but just log on back-end of Joomla. How about end-users? They want to sign in to write feedback, vote, then why? I believe as long as 89 minutes to die …
Structure Joomla password
Review the password is stored in the Joomla database:
f4f6b82bb566d38abc17acba97a3aa3b: KoRzoQ0vbYbsnvR9BZiEtD1yoYlBWQbz
As we see, clearly Joomla password hash is a string, but why so long too? Let your attention a bit, we’ll have a colon in the middle of this string. After the separation, we have:
f4f6b82bb566d38abc17acba97a3aa3b
KoRzoQ0vbYbsnvR9BZiEtD1yoYlBWQbz
So the information in this string is what? Do not forget to Joomla is an open source web applications, so simply open source it out to see. As I know, Joomla have a class Joomla.User.Helper (/ joomla / libraries / joomla / user / helper.php). We are sketches of the process of creating Joomla password as follows:
Password encrypted in Joomla
PHP-Joomla-User-Helper
In the last week of term delivery project, I spent most of my time on Google. I tried every keyword that I can think. I wander around the forums about computing. Almost no information possible to help me solve the problem. Even I have been thinking use the function of Joomla to authenticate and then return the results of my ASP.NET to processing:
PHP-Authentication-Joomla-User
But this does not really make me satisfied! The “mixing” between the two languages are not the same platform, operating environment is not an opinion or. It will lead to many corollary and trouble later. Fortunately, I finally received much assistance, and one of them has contributed to create this article. See the code below:
How do you feel? It’s incredibly simple to right? At this point, you just write a function of log handling operation, log off, change password, reset password, create a new user, … work is completed. This is really simple !
This my solution, Are you have any way to share with everyone ?
P / s: If you republish this article on your website or blog, do not forget to specify the origin source: MicroSYNC Blog ! Thanks!
1. MD5 is too easy to bruteforce now.
2. The random algorithm you use without seed is predictable.
3. What is the benefit of storing the password and salt in one field?
Hi,
Thanks for your comment !
1. Yes! So they add SALT to restrict exploration password.
2. That’s not my algorithm! It belongs to Joomla!
3. I am not sure but I guess it helps to access data is convenient.
My article just help someone who want to integrate a ASP.NET web application with Joomla !
1. The salt is not enough. The salt is also stored in the database, it makes brute forcing slower, but not slow enough to prevent it. Unless when you use a very large salt. Try the tools hackers use to test your own security. You can try the backtrack md5 tools, or rainbowtables.com
2. A random class without seeds can return the same value multiple times under certain conditions (example: iis app pool recycle). That makes the value predictable and useful for hackers. You can prevent this by using a seed, like new Random(DateTime.Now.Milliseconds). A better way is to call a security specific cryptography algorithm to create the salt, like: public string CreateSalt()
{
var rng = new RNGCryptoServiceProvider();
var buff = new byte[saltSize];
rng.GetBytes(buff);
return Convert.ToBase64String(buff);
}
3. I guess it makes dataaccess more complicated because you have to write code to combine the value and split the value. It’s less code and more readable code when just have separate fields in the database for the separate fields in your class.
4. When you just want to integrate with Joomla, please ignore my comments! I could better post them on the Joomla forum…
A site I created had better security than you describe, and it was hacked 3 years ago. The current version is much harder to hack
I want to thank the blogger very much not only for this post but also for his all previous efforts. I found blog.microsync.net to be greatly interesting. I will be coming back to blog.microsync.net for more information.
I am reading this article second time today, you have to be more careful with content leakers. If I will fount it again I will send you a link
Hi,
Thanks for your comment !
Send me the link you ‘re talking about, please ! I want to know what the content it contained !
Thanks !