Authenticating DotNetNuke Users in ColdFusion

Question

Is there any way to authenticate users from other web apps using the DNN logins?

We have a main site that is using DNN and user logins are stored in the asp net mem

Answer 1

Most likely the password is not encrypted, it is hashed. Hashing is different from encrypting, because it is not reversible.

You would not use ColdFusion's encrypt() function for this, you would use its hash() function.

So the questions you'll need to answer to figure out how to hash the passwords in CF to be able to auth against the DNN users are:

1. What algorithm is DNN using to hash the passwords?
2. How is the salt being used with the password prior to hashing?
3. Is DNN iterating over the hash X number of times to improve security?

All of those questions must be answered to determine how CF must use the hash() function in combination with the salt and user-submitted passwords.

I'll make some assumptions to provide an answer.

If we assume that noiteration is being done and that the salt is simply being appended to the password prior to using SHA1 to hash the password, then you'd be able to reproduce the hash digest like this: