Transfering from Zen Cart, User Passwords?

[Mark Harris]

I'm in the process of writing an application to transform my data from Zen Cart (MySQL) to AC. Passwords in ZC are messed with then md5'ed so there is no way of transfering them. If i don't set a password on the user's account how do they login for the first time?

I see that passwords are what appears to be Base64 encoded SHA1 hashes in AC. Perhaps i can just generate a new password and email every user? This might also be a nice way to alert them to the new store and some new products we are going to release with the new software.

Is there anything else that AC does to the password other than SHA1? Unfortunately the CommerceBuilder.Users namespace is obfuscated so i can't look into it to see what is going on

[sohaib]

When using CommerceBuilder API you don't have to worry about encoding or decoding of the passwords. When you set a password for a User object it is automatically encoded or encrypted before it is saved to database.
You just set the password in plain text

Code: Select all

      User.SetPassword(PasswordInPlainText);
      User.Save();

Creating new users goes something like this

Code: Select all

        MembershipCreateStatus status;
        User newUser = UserDataSource.CreateUser(EmailAddressPalinText, PasswordPlainText, string.Empty, string.Empty, true, 0, out status);
        if (status == MembershipCreateStatus.Success)
        {
           //successfully created. proceed further
        }
        else
        {
           //could not be created. check the reason for the error and handle accordingly
        }

btw I wonder why are you giving up on converting ZC passwords? There surely must be a way.
It can be a big problems for your customers to update to new passwords. Customers usually do not like slightest of inconviniences.

[Mark Harris]

Thanks. I'm actually talking to the database directly for convenience. I maintain the connection to two databases, read out one to a datatable, then iterate the rows running INSERTS through a command using parameters in a transaction. If all goes well, i commit the transaction then move on to the next set of data to move.

MD5 is a one way encryption, Zen cart also salts it before MD5 so there is now way to check it. I'd have to modify the login code in AC to be the same as Zen Cart, however i cant do that because i dont have the source code to your Commerce Builder project

[Logan Rhodehamel]

MD5 is a one way encryption, Zen cart also salts it before MD5 so there is now way to check it. I'd have to modify the login code in AC to be the same as Zen Cart, however i cant do that because i dont have the source code to your Commerce Builder project

If you can determine the salt value, and your cart adds the salt value to the end of the plain text, you can convert them without a source modification. I don't know how Zen cart uses and saves the salt, but you might.

AC7 passwords are not stored quite the same way. We take the bytes of the hash, append the salt bytes, then encode the whole mess in base 64. The base 64 encoded value is what goes to the database.

Here is some code that you can use to convert MD5 or SHA1 hashes over to a format understood by AbleCommerce 7.

Code: Select all

    private Byte[] HexToBytes(string hexhash)
    {
        if (string.IsNullOrEmpty(hexhash)) return null;
        if (hexhash.Length % 2 == 1) hexhash = "0" + hexhash;
        int arr_size = hexhash.Length / 2;
        Byte[] bytes = new Byte[arr_size];
        for (int i = 0; i < arr_size; i++)
            bytes[i] = Convert.ToByte(hexhash.Substring(i * 2, 2), 16);
        return bytes;
    }

    private string ConvertFromHexHash(string hexhash, byte[] saltBytes)
    {
        //FIRST, TURN THE HEX DIGEST INTO AN ARRAY OF BYTES
        byte[] hashBytes = HexToBytes(hexhash);
        if ((hashBytes == null) || (hashBytes.Length == 0)) return string.Empty;

        //MAKE SURE THE SALT BYTES ARRAY IS NOT NULL
        if (saltBytes == null) saltBytes = new byte[0];

        //CREATE NEW ARRAY THAT WILL COMBINE HASH VALUE WITH SALT BYTES
        byte[] hashWithSaltBytes = new byte[hashBytes.Length + saltBytes.Length];

        //COPY HASH BYTES INTO ARRAY
        for (int i = 0; i < hashBytes.Length; i++)
            hashWithSaltBytes[i] = hashBytes[i];

        //APPEND SALT BYTES INTO ARRAY
        for (int i = 0; i < saltBytes.Length; i++)
            hashWithSaltBytes[hashBytes.Length + i] = saltBytes[i];

        //ENCODE THE COMBINED BYTE ARRAY TO BASE 64 STRING
        string hashValue = Convert.ToBase64String(hashWithSaltBytes);

        //UPDATED HASH VALUE IS READY FOR STORAGE
        return hashValue;
    }

Let me break this down in an example of where it can be used. If you hash password using MD5 without any salt value, the digest will look like this: 5f4dcc3b5aa765d61d8327deb882cf99

Then to put into AbleCommerce, we have to convert that digest into the 16 bytes it represents. There is no salt to append, and we encode those bytes into base 64 to get the final result: X03MO1qnZdYdgyfeuILPmQ==

Suppose we hash password and append the salt value a. Our digest will look like this: f2f555205f367f5b51faee7ebb8dcc1b.

Again we convert that to the 16 byte array. We apend one byte for the "a" salt value, ending up with a 17 byte array. The 17 bytes are base 64 encoded to get the final result: 8vVVIF82f1tR+u5+u43MG2E=

So again, if you can determine the salt used by zen cart, and the plain text that is hashed is password + salt then you can directly convert them. Otherwise, you should be able to use the code above to generate your own passwords as you see fit. Just create an MD5 or SHA1 hash of the desired password + salt, then pass the values into the convert method. It will produce a value you can store into the ac_UserPasswords table.

[Mark Harris]

Code: Select all

// This function makes a new password from a plaintext password. 
  function zen_encrypt_password($plain) {
    $password = '';

    for ($i=0; $i<10; $i++) {
      $password .= zen_rand();
    }

    $salt = substr(md5($password), 0, 2);

    $password = md5($salt . $plain) . ':' . $salt;

    return $password;
  }

So the password has 10 random characters appended. Then that password is MD5'ed and we take the first 2 characters as salt. Then salt + password are md5'ed and have ":salt" appened to them.

This way you end up with something like: '0839d5dc48417f3d50a68766551a816d:53'

[Logan Rhodehamel]

Hmm... let me discuss it with the team. I have already registered a feature request for AC71 so that we could support these passwords. Unfortunately our current code is looking for plain + salt, which means we can't take these straight over. All we are lacking is a way to know whether the salt was prepended or appended to the plaintext.

[joebeazelman]

Is there any update on this? I am having the same issues moving the customers over to AbleCommerce. BTW Mark, if you need some SQL scripts for converting from Zen to AbleCommerce let me know.

[WylieE]

Subscribed.

We are investigating a similar issue of exporting from osCommerce to AC7.

[bill@izilla.com.au]

Subscribed.

We are investigating a similar issue of exporting from osCommerce to AC7.

+1

[bradsjm]

Subscribed.

We are investigating a similar issue of exporting from osCommerce to AC7.

I have the same issue with MagentoCommerce to AC7, they also put the salt at the start not the end.

[s_ismail]

First try to find which algorithm they are using to encrypt passswords then do some google search to decrypt password using that algorithm.