Session_key, v, s...how they work?

[Princess]

Hi, I'm doing a cms for mangos, but I have some little problems:

I have:

"UPDATEaccount SET sha_pass_hash='$npass', sessionkey='', v='', s='' WHERE username='$login'" this works ok on game, but when I tried to login on web this fail because, session_key, v and s...How they work?

[DaC]

Do you want an login on an web frontend with your account credentials from realm database? if so, you don't need session_key, v or s, they are only needed for game clients. a check agains a sha1 hash should be enough.

[Princess]

yes, but it too strangle.

In realm database I have:

sha_pass_hash = fe6f7b9ad8bb5a6caad5b6c5dc5568e2196bdc1a

but If I use the algoritm on php:

sha1(strtoupper($login) . ":" . strtoupper($opass));

it give me:

4bb5e28d95f82a3ea265177381a6d3bd60944dbe

the same login and the same password, it works only in wow login, but on web it fails

[lillecarl]

Try without strtoupper on the password side, should make it

-- Sent from my phone

[Princess]

30f71ce763fa241a988e9a20314a124f8229fa70 T_T

How mangos does to login? I don't undertands why mangos can login on wow with fe6f7b9ad8bb5a6caad5b6c5dc5568e2196bdc1a but when I use the "supposed" algoritm to hash the password, it gives me other password

[lillecarl]

Might sound stupid, but try to reverse it(pass:user) ill look into it when i get to my computer^^,

-- Sent from my phone

[Princess]

5740c4bda3672fa874d7980c6414d4ab2c51f9c3

92d410d0b4417be51046409e1d173fa5ef051585

with and without strtoupper jajaja. I have a poltergeist!

[DaC]

rechecked against sha1(strtoupper($account).":".strtoupper($password)) and it gave me the correct hash

[lillecarl]

DaC how can that give correct? strtoupper doesnt it make the entire string uppercase?

[brunogcar]

i can assure u, its upper user/pass, just look at mangos source its clear

if u cant figure it out, in a couple of days when i check out forum again, i will provide a working example that u can easily get either from read source or any 3rd party project, from memory try something like

SET sha_pass_hash=SHA1(CONCAT(UPPER('$username'),':',UPPER('$pass'))), v=0, s=0

hint minimanager has got it right, same as dozens of other projects, i cant name now cos im drunk

[lillecarl]

Yeah, well i just think it's wierd! I belive you, computers were once logic, then something happened!

[Princess]

Well, here is mi poltergeist!

The account/password is kili/petardo

If I use sha1(strtoupper($login) . ":" . strtoupper($opass)) it gives me: 4bb5e28d95f82a3ea265177381a6d3bd60944dbe <------------CORRECT

But if I go to realm account database I have: fe6f7b9ad8bb5a6caad5b6c5dc5568e2196bdc1a <-----WTF??

I can't log into web with 4bb5e28d95f82a3ea265177381a6d3bd60944dbe BUT I CAN log ingame into wow with fe6f7b9ad8bb5a6caad5b6c5dc5568e2196bdc1a

What's the problem? I don't understand

[Schmoozerd]

s, v != 0

[Princess]

Sorry I don't undertand you Schmoozerd. Are you telling me that I must check s,v in the php function to login?

[lillecarl]

std::string AccountMgr::CalculateShaPassHash(std::string& name, std::string& password)
{
   Sha1Hash sha;
   sha.Initialize();
   sha.UpdateData(name);
   sha.UpdateData(":");
   sha.UpdateData(password);
   sha.Finalize();

   std::string encoded;
   hexEncodeByteArray(sha.GetDigest(), sha.GetLength(), encoded);

   return encoded;
}

That is mangos password check, which is equal to yours in php. Just look at another mangos CMS's code and see how they do it?

[Princess]

I'm using a cms called Azer Cms and they use my function....But it doesn't work with all accounts, only with some...

[lillecarl]

That is very strange, the accounts not working is probably not created properly.

[Princess]

That is very strange, the accounts not working is probably not created properly.

maybe, but those accounts can be logged perfectly by game...

[Schmoozerd]

@lillecarl

The code you pasted is used only to change the password (which is for case s = v = 0)

[Princess]

So Schmoozerd, the v,s are only for loggin into world game?

By web using only sha1() algoritm are ok?

[faramir118]

s, v are used forclient authentication and initializing the RC4 stream cipher.

CMS authentication doesn't need them

[VladimirMangos]

That is very strange, the accounts not working is probably not created properly.

maybe, but those accounts can be logged perfectly by game...

Client apply upper case to login/password before send. Mangos apply upper case at accound creating by internal command and expect that in DB you store hascode created from _upper_ version login/password if it calculated by external tools

[Princess]

So...there isn't any way to fix the "wrong created" accounts on realm even if they log correctly ingame T_T

[Schmoozerd]

you can probably add a AT_LOGIN flag to force them to change PW or so.