Can't Login on foxycart after syncing users

bledfeetbledfeet Member
in Help edited April 2014

I synced some users from my database to the foxycart API.
However, I can't login with my credential on the checkout page.
I guess it's the way I synced the password or the salt value to foxycart.

How I store the password :
$crypted_password_in_db = md5(md5($clear_password).$salt)

what I sent to Foxycart with customer_save:
$data = array(
"api_action" => "customer_save",
"api_token" => self::$__api_key,
"customer_email" => $customer_email,
"customer_password" => $crypted_password_in_db,
"customer_salt" => $salt,

I chose md5_salted_suffix in the foxycart admin panel

Also, I don't understand is when I make a "customer_list" , the customer_password_salt value is different of the one I send when I called "customer_save".

Thank you for your help
  • fc_adamfc_adam FoxyCart Team

    Thanks for posting a detailed post there - that helps us help you!

    So the issue you're running into is we don't actually support the way you have created the passwords. md5_salted_suffix is just md5($password.$salt) - where as you also md5() the password before concatenating it with the salt.

    In terms of why the salt value is different - if you already have a hashed password what you'll want to do is set "customer_password_hash" via the api, and the salt is available as "customer_password_salt".

    Are you importing customers from a specific service, or is this a password encryption approach you set up yourself?
  • bledfeetbledfeet Member
    edited April 2014
    @fc_adam ,

    It is the way we encrypted the password.

    So does that mean if I set it to "customer_password_hash" my users will be able to login on the foxycart checkout?
    Will I be able to sync my user from Foxycart to my db when the user will create an account from foxycart ?
  • @fc_adam ,

    Sorry, I still don't fully understand.

    I succeeded in setting the "customer_password_hash" through your API.
    However, when I set my own "customer_password_salt" through your API, foxycart seems to still generate its own salt. Am I correct that this is what is going on? On our side, we generate our own salt when a customer creates an account. We use this salt to match a user's inputed password with our hashed password.

    As I understand it, you need to set our encryption algorithm $crypted_password_in_db = md5(md5($plain_text_password).$salt_in_our_db) on foxycart's end to allow us to sync user data between both foxycart's user list and our user list.

    Furthermore we want retrieve the customers' authentication data from foxycart so a user only has to login once on either our site or your checkout, with the same credentials to get full functionality on both our site and the foxycart checkout. In order to accomplish this both we and foxycart need to use the same algorithm to get the hashed password. Am I correct in my understanding and how can we solve this problem?

    Thank you for your time and effort.
  • fc_adamfc_adam FoxyCart Team

    Sorry - I should have been more clear in my last reply. At this stage - you won't be able to login as a customer of FoxyCart's side using your current password hashes. As we don't have a matching password algorithm set up on our side, the password matching will never pass. md5(md5($password).$salt) will never match md5($password.$salt).

    In regards to the salt changing - did you set the hash config setting in your advanced settings page in your store to match the length of the salt you're creating on your side? If the length of the salt your submitting doesn't match that number our system will create a new salt to match.

    In terms of adding support for that approach, that's something we'll need to do on our side. If you could email our helpdesk with a couple examples of plain text passwords and their hashed and salted equivalents, we'll work at adding support for that algorithm approach as soon as possible.

    For retrieving the customers authentication - I'm assuming you're meaning if a customer creates a new customer account from the checkout? One way to approach it would be to require customers create an account on your side before they hit the checkout - so they'd be automatically logged in and you'd sync the logged in status using SSO. To achieve the login syncing from when the customer logs in on the checkout though - take a look at this thread for details of that:
  • @fc_adam

    Thank you for these useful informations.

    I sent the all the informations you need via the contact form to the helpdesk for my encryption request. However,I didn't receive any notification that you received it. Did you get it?
  • fc_adamfc_adam FoxyCart Team

    Thanks for sending that in - and sorry for the delay in getting back to you. I believe Brett has replied to your email today.
Sign In or Register to comment.