Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

General Questions

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Passwords not working after move


Reply

8 Posts   2644 Views

Avatar
StuM

29 July 2009 at 1:17pm Community Member, 56 Posts

Hi All,

I moved a small SilverStripe site today and the passwords stopped working, and I just can't work out what's happened. I've looked in both databases(via PhpMyAdmin) and the table structure of the Member table is identical and the data is identical, yet the password won't work. I can reset the password to get it working, but I have another 2 sites to relocate over the next few weeks, one has lots of members that I don't want to have to get them all to regenerate their passwords. Does anybody know why this would happen???

Avatar
Andy

29 July 2009 at 2:22pm 230 Posts

I've noticed this before - sometimes the differences in php versions mean that the hashes are generated differently. Not entirely sure what can be done about this - it might have something to do with the salt used?

Avatar
StuM

29 July 2009 at 3:14pm Community Member, 56 Posts

hmmm okay, the old version is 5.2.10 on debian/etch, the new version 5.2.9 on debian/lenny so they are different. I use dotdeb which rolled back to 5.2.9 due to problems with 5.2.10 so I can't get this new server up to 5.2.10. I did try loading the database onto my development machine which is 5.2.9 on etch, so it appears it may be the operating system version rather than the php version.

I've just stepped through the hashing code in the security class, everything is equal until it gets to:

$password = substr(base_convert($password, 16, 36), 0, 64);

that line gives different results, I have the feeling it's just a configuration setting, I'll experiment some more to try and isolate the issue better

Avatar
StuM

30 July 2009 at 9:21am Community Member, 56 Posts

I've found more on this:

http://silverstripe.org/archive/show/219871
http://silverstripe.org/archive/show/63803

a small piece of test code:

$str = str_repeat('1', 40);
echo $str . '<br />';
$str = base_convert($str, 16, 36);
echo $str . "<br />";
$str = base_convert($str, 36, 16);
echo $str . '<br />';

on all but Debian Lenny you get:

1111111111111111111111111111111111111111
1zrobwfazqu8okco4sw8g0cgwggs8k8
1111111111111200000000000000000000000000

and on Debian Lenny(64 bit) you get:

1111111111111111111111111111111111111111
1zrobwfazqvs5cw0wwc8os44o0044c8
1111111111111100000000000000000000000000

I'm trying to find a configuration setting to fix it. To fix in SilverStripe, you'd need to modify the password checks to only use the first 10 characters of the packed hash.

Avatar
Willr

30 July 2009 at 10:07am Forum Moderator, 5511 Posts

See the discussion on this issue here - http://open.silverstripe.com/ticket/3004

Avatar
StuM

30 July 2009 at 1:55pm Community Member, 56 Posts

thanks for that - doesn't look like it's fixed yet, but may give me some ideas on how to patch it until 2.4 is released

Avatar
StuM

30 July 2009 at 9:00pm (Last edited: 30 July 2009 9:09pm), Community Member, 56 Posts

Would this be an acceptable hack?

/**
    * Check if the passed password matches the stored one
    *
    * @param string $password The clear text password to check
    * @return bool Returns TRUE if the passed password is valid, otherwise FALSE.
    */
   public function checkPassword($password) {
      // Only confirm that the password matches if the user isn't locked out
      if(!$this->isLockedOut()) {
         $encryption_details = Security::encrypt_password($password, $this->Salt, $this->PasswordEncryption);
         if ($this->PasswordEncryption == 'none')
         {
            return ($this->Password === $encryption_details['password']);
         }
         return (substr($this->Password, 0, 9) === substr($encryption_details['password'], 0, 9));
      }
   }

It looks to me like it would work for all cases, and it tests okay

Avatar
*nishnish

5 October 2010 at 7:51pm Community Member, 2 Posts

where would one implement this hack...?

we have just found today that all the passwords for users and admin folk on most of the sites that we have done in silverstripe have stopped working...

we suspect it is on sites that are pre ss2.4...

we can reset no worries with the forgot password thing but a couple of the sites have a biggish number of useres etc...

adios...

nigel...