Jump to content

About Hashing Method In Pw


Recommended Posts


I'm learning about password management/security in order to synchronize logins between PW users and Foxycart. In Foxycart I need to choose the password hash type I'm using.

In my installation of PW wire->config.php shows:

$config->userAuthHashType = 'sha1';

But in the post https://processwire.com/talk/topic/2954-password-hashing/ Ryan says:

In ProcessWire 2.3, The $config->userAuthHashType is only used as a fallback if bcrypt/blowfish isn't available. 

I'm using 2.4.4 version.

As the server which PW shows blowfish is available I understand PW is using it. Foxycart doesn´t list this hash algorithm available.

So, where should I change the hash method in wire->config? but it is overriden if blowfish is available in the server anyway? 

I'm a bit lost here  :mellow: , any direction / help would be appreciated.

Link to comment
Share on other sites

What are you trying to do exactly? ProcessWire uses salt also, so telling foxycart just about the hash algorithm PW uses has no use at all. Is there some documentation page on Foxy carts site that we can reference?

Link to comment
Share on other sites


It shows a list with the available methods to use with Foxycart.

There are several options, for different CMSs, eg Wordpress or Drupal, salt included.

I need Processwire to use one of this methods in order to sync the password between the PW users and Foxy users, as I understand I need to use the same hash method + salt so a user registered through Foxy could not login / validate password in PW, because the hashes would be different.

Link to comment
Share on other sites

alejandro, I have also done a Foxycart / PW integration.

This took me quite a while to get my head around too.

Quite simply, it doesn't matter which hashing method you choose in FoxyCart (I chose sha256)

This was my setup:

1. customer registers in FoxyCart

2. customer pays and datafeed is sent back to PW

3. password in datafeed is already sha256 so I just create a new user in PW with the already hashed password.

4. new PW user is setup which has a password which is sha256 hashed THEN PW hashed.

If you are setting up a login form where this user can login to PW, all you have to remember is you must sha256 the entered password, and use that in the $session->login call

Hope that is all clear

  • Like 3
Link to comment
Share on other sites


Can´t try it right now, but I understand it and it seems quite clear. I was having headaches thinking about possible weird solutions, like using two different passwords for each user (probabily not doable).

Maybe later, when coding it, I'll have some doubts but I see the way to do it.

Thank you very much.  :D

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...