WHMCS - How to generate the upw session variable

As of version 5.1.2 WHMCS added an extra salt bit to the UPW hash and also uses sha1 for the hash. The salt is taken from the CC encryption hash.

<?php

// WHMCS configuration file
require_once('path/to/whmcs/configuration.php');

// DB connection
$dbh = mysql_connect($db_host,$db_username,$db_password) or die('MySQL connection failed');
mysql_select_db($db_name, $dbh) or die('Failed to select whmcs_dbname database');

// Get user info (in this case user id 1)
$query = sprintf("SELECT * FROM `tblclients` WHERE userid = %d", 1);
$result = mysql_query($query, $dbh);
if($result === FALSE) die("Query Failed: " . mysql_error());
$userRow = mysql_fetch_assoc($result);

// Start a session if one hasnt already been started
if(!session_id()) session_start();

// Set Session data
$_SESSION['uid'] = $userRow['id'];
$_SESSION['upw'] = sha1($userRow['id'] . $userRow['password'] . $_SERVER['REMOTE_ADDR'] . substr(sha1($cc_encryption_hash),0,20));

?>

Below is code showing how the upw session variable is generated on a WHMCS install

<?php

// DB connection
$dbh = mysql_connect('localhost','user','pass') or die('MySQL connection failed');
mysql_select_db('whmcs_dbname', $dbh) or die('Failed to select whmcs_dbname database');

// Get user info (in this case user id 1)
$query = sprintf("SELECT * FROM `tblclients` WHERE userid = %d", 1);
$result = mysql_query($query, $dbh);
if($result === FALSE) die("Query Failed: " . mysql_error());
$userRow = mysql_fetch_assoc($result);

// Start a session if one hasnt already been started
if(!session_id()) session_start();

// Set Session data
$_SESSION['uid'] = $userRow['id'];
$_SESSION['upw'] = md5($userRow['id'] . $userRow['password'] . $_SERVER['REMOTE_ADDR']);

?>