OK... let's hash this out... (pun intended...)
What SMF did appears to be this:
Use bcrypt for passwords and SHA-512 for cookies
Shift from sha256(sha1(lower(username) . password)) to password_hash(sha1(lower(username) . password), PASSWORD_BCRYPT) which is a PHP 5.5 implementation of a costly bcrypt based algorithm (added a back porting library as well which makes it compatible till minimum of PHP 5.3.7). This is much slower and more secure than a simple one pass sha256.
Also, the cookies are shifted from sha256(password . salt) to sha512(password . salt) to give them that extra spice of security.
Reference from:
https://github.com/Dragooon/SMF2.1/commit/6c5c3b11bab0037d0e1a846912cc0b51c0772b1fPlease correct me if I'm wrong - but I don't think we really care about the password logic change - as we route any login/logout requests directly to SMF... The bridge code in smf20.inc.php does contain a password algorithm specified for 'name of the password field' - but not clear where we would ever use it...
The function "udb_hash_db($password)" is marked 'unused'...
I wouldn't expect the login function from udb_base.inc.php to even be used.
So is the issue the change from sha256 to sha512 for the cookies?
There is a session_extraction() function - but this doesn't even reference sha256 today...
I'd need to dig deeper here - unless someone can point me in right direction.
If I can better understand the issue - certainly willing to help..
(I don't have a 2.1 forum to play with yet - but I can fix that shortly...)
Greg