Standard function in TXP for a challenge/response on TXp users?

tennapel · 2009-11-28 21:12:15

I’m developing a plugin that needs a login form. I want to use the TXP users (the users that can log in on the admin side). I want to check a username and password entered in the form against the username/password combo in the TXP database.

I have been looking around on Google and in the TXP php files, but cannot find a standard function in TXP/lib that you can use to check the username/password combo and that will return either ‘good / no good’ or the username and privs.

How can I do this most secure? I prefer to hook into a TXP lib function if possible.

Last edited by tennapel (2009-11-28 21:13:17)

Dragondz · 2009-11-29 08:43:35

Hi

Have you tried to see ign_password_protect code, i think you can find the answer there.

Cheers

tennapel · 2009-11-29 11:19:04

I found the function ‘txp_validate($user,$password)’ in txp_auth.php in the folder ‘include’ of the textpattern folder. Is that safe to call from a plugin?

tennapel · 2009-12-01 08:35:13

No one has an answer to this?

ruud · 2009-12-01 11:39:54

You shouldn’t use that directly.

tennapel · 2009-12-01 21:17:39

Ok, if not, what other option is there to authenticate against the TXP users in de database and keep it safe?

aslsw66 · 2009-12-02 13:43:41

Sorry, but I’m not sure why you wouldn’t use ign_password_protect. If there was additional functionality you need, this plugin can also work with a couple of others but you could at least use it as a starting point and then hack your way around whatever else you need.

ruud · 2009-12-02 17:36:24

There is no other option. Calling txp_validate directly bypasses the delays that are added in other places to make brute-force attacks less interesting. Look at how txp_validate is used in TXP code and you’ll see what I mean. So, you can use it directly, if you use it in a similar way as TXP core does.

tennapel · 2009-12-03 14:23:37

ok, thanks ruud, i will look at the txp_validate example.

@aslsw66: ign_password_protect does not work on the servers of the webhost for reasons I don’t know; writing my own solution gives me a little more flexibility in output.

aslsw66 · 2009-12-03 15:30:12

That’s weird! My usual approach to the flexibility with output issue is to just start hacking into someone else’s plugin. I call it “standing on the shoulders of giants” – it sounds better than “hacking”.

tennapel · 2009-12-03 16:27:59

I tried hacking into ign_password_protect, but it was too much code to spot the problem. Also, authentication is directly against the database, so security wise I’m not sure that’s the best way (see other topic). I’d like to tap into the textpattern authentication itself.

Textpattern CMS

Textpattern CMS support forum

#1 2009-11-28 21:12:15

Standard function in TXP for a challenge/response on TXp users?

#2 2009-11-29 08:43:35

Re: Standard function in TXP for a challenge/response on TXp users?

#3 2009-11-29 11:19:04

Re: Standard function in TXP for a challenge/response on TXp users?

#4 2009-12-01 08:35:13

Re: Standard function in TXP for a challenge/response on TXp users?

#5 2009-12-01 11:39:54

Re: Standard function in TXP for a challenge/response on TXp users?

#6 2009-12-01 21:17:39

Re: Standard function in TXP for a challenge/response on TXp users?

#7 2009-12-02 13:43:41

Re: Standard function in TXP for a challenge/response on TXp users?

#8 2009-12-02 17:36:24

Re: Standard function in TXP for a challenge/response on TXp users?

#9 2009-12-03 14:23:37

Re: Standard function in TXP for a challenge/response on TXp users?

#10 2009-12-03 15:30:12

Re: Standard function in TXP for a challenge/response on TXp users?

#11 2009-12-03 16:27:59

Re: Standard function in TXP for a challenge/response on TXp users?

Board footer