Implemented better password hashing algorithm

lib/user.class.php

@@ -82,8 +82,24 @@
                 // any users?
                 if ($user_counter>0) {
                     // compare passwords
-                    if(!strcmp(md5($user_pass), $users[0]['user_pass'])) {
-                        // all ok: user is logged in, register session data
+                    if(!strcmp(md5($user_pass), rtrim($users[0]['user_pass']))) {
+                        // all ok: user is logged in
+
+                        // md5 match but outdated. rewrite with new algo
+                        $newhash = password_hash($user_pass, PASSWORD_BCRYPT);
+                        $query = "UPDATE user SET user_pass='" . $newhash. "' WHERE user_id=" . $users[0]['user_id'];
+                        $db->db_update($query);
+
+                    } else {
+                        if (! password_verify($user_pass, $users[0]['user_pass'])) {
+                            return FALSE;
+                        }
+                    }
+                } else {
+                    return FALSE;
+                }
+
+            // register session data
                 $_SESSION['suser_id'] = $users[0]['user_id'];
                 $_SESSION['suser_displayname'] = $users[0]['user_displayname'];
                 $_SESSION['suser_language'] = $users[0]['user_language'];
@@ -103,12 +119,6 @@
                 $_SESSION['suser_menu_vlans'] = $users[0]['user_menu_vlans'];
                 $_SESSION['suser_menu_zones'] = $users[0]['user_menu_zones'];
                 $_SESSION['suser_tooltips'] = $users[0]['user_tooltips'];
-                    } else {
-                        return FALSE;
-                    }
-                } else {
-                    return FALSE;
-                }
 
             // no errors found, return
             return TRUE;