im totally lost on that one. I've got a client that requested me to produce a xml api to make use of by having an apple iphone application on his website. The apple iphone application developer is delivering the auth values having a SHA1 encoded password.
How do i make sure that the username(plain text) and password(Sha1) is correct ??
I´ve reading through class.phpass.php , and plugable.php however i cant determine.
This normally takes a little of labor. The Wordpress password is saved like a salted MD5 hash, which can't possibly match the SHA1 you're being sent. In addition, since the "cleartext" from the password isn't saved, you do not have it open to instantly generate one more SHA1 value.
Here's a few suggestions off the top my mind regarding how to attack this issue:
- Possess the application connect using HTTPS after which send the cleartext from the password. This probably the most secure also it necessitates the least reworking from the Wordpress code, but it might not be a choice open to you.
- Possess the application send the password encoded having a shaped cypher, with both application and Wordpress understanding the secret key. The control over a secret type in multiple locations is dicey. You virtually need to think that it's eventually likely to leak and then for any security is out your window.
- Whenever a user effectively logs directly into Wordpress (or when they're produced, or once they change their password), produce a user meta value the industry SHA1 from the password. Then its readily available for future authentication using the application.
With respect to the more knowledge about the website, products #2 and #3 aren't actually secure. #2 is simply awaiting a hack, and unless of course #3 happens over an encoded connection, it's effectively delivering a cleartext password (as the SHA1) within the internet.
If you cannot obtain the application developer to complete #1, then It is best to opt for #3 and hope we're not really thinking about whatever info the website is controlling.