Jump to:

23488 Posts in 18005 Topics by 2863 members

General Questions

SilverStripe Forums » General Questions » Passwords not working after move

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1
Go to End
Author Topic: 2595 Views
  • StuM
    Avatar
    Community Member
    56 Posts

    Passwords not working after move Link to this post

    Hi All,

    I moved a small SilverStripe site today and the passwords stopped working, and I just can't work out what's happened. I've looked in both databases(via PhpMyAdmin) and the table structure of the Member table is identical and the data is identical, yet the password won't work. I can reset the password to get it working, but I have another 2 sites to relocate over the next few weeks, one has lots of members that I don't want to have to get them all to regenerate their passwords. Does anybody know why this would happen???

  • Andy
    Avatar
    230 Posts

    Re: Passwords not working after move Link to this post

    I've noticed this before - sometimes the differences in php versions mean that the hashes are generated differently. Not entirely sure what can be done about this - it might have something to do with the salt used?

  • StuM
    Avatar
    Community Member
    56 Posts

    Re: Passwords not working after move Link to this post

    hmmm okay, the old version is 5.2.10 on debian/etch, the new version 5.2.9 on debian/lenny so they are different. I use dotdeb which rolled back to 5.2.9 due to problems with 5.2.10 so I can't get this new server up to 5.2.10. I did try loading the database onto my development machine which is 5.2.9 on etch, so it appears it may be the operating system version rather than the php version.

    I've just stepped through the hashing code in the security class, everything is equal until it gets to:

    $password = substr(base_convert($password, 16, 36), 0, 64);

    that line gives different results, I have the feeling it's just a configuration setting, I'll experiment some more to try and isolate the issue better

  • StuM
    Avatar
    Community Member
    56 Posts

    Re: Passwords not working after move Link to this post

    I've found more on this:

    http://silverstripe.org/archive/show/219871
    http://silverstripe.org/archive/show/63803

    a small piece of test code:

    $str = str_repeat('1', 40);
    echo $str . '<br />';
    $str = base_convert($str, 16, 36);
    echo $str . "<br />";
    $str = base_convert($str, 36, 16);
    echo $str . '<br />';

    on all but Debian Lenny you get:

    1111111111111111111111111111111111111111
    1zrobwfazqu8okco4sw8g0cgwggs8k8
    1111111111111200000000000000000000000000

    and on Debian Lenny(64 bit) you get:

    1111111111111111111111111111111111111111
    1zrobwfazqvs5cw0wwc8os44o0044c8
    1111111111111100000000000000000000000000

    I'm trying to find a configuration setting to fix it. To fix in SilverStripe, you'd need to modify the password checks to only use the first 10 characters of the packed hash.

  • Willr
    Avatar
    Forum Moderator
    5482 Posts

    Re: Passwords not working after move Link to this post

    See the discussion on this issue here - http://open.silverstripe.com/ticket/3004

  • StuM
    Avatar
    Community Member
    56 Posts

    Re: Passwords not working after move Link to this post

    thanks for that - doesn't look like it's fixed yet, but may give me some ideas on how to patch it until 2.4 is released

  • StuM
    Avatar
    Community Member
    56 Posts

    Re: Passwords not working after move Link to this post

    Would this be an acceptable hack?

    /**
        * Check if the passed password matches the stored one
        *
        * @param string $password The clear text password to check
        * @return bool Returns TRUE if the passed password is valid, otherwise FALSE.
        */
       public function checkPassword($password) {
          // Only confirm that the password matches if the user isn't locked out
          if(!$this->isLockedOut()) {
             $encryption_details = Security::encrypt_password($password, $this->Salt, $this->PasswordEncryption);
             if ($this->PasswordEncryption == 'none')
             {
                return ($this->Password === $encryption_details['password']);
             }
             return (substr($this->Password, 0, 9) === substr($encryption_details['password'], 0, 9));
          }
       }

    It looks to me like it would work for all cases, and it tests okay

  • *nishnish
    Avatar
    Community Member
    2 Posts

    Re: Passwords not working after move Link to this post

    where would one implement this hack...?

    we have just found today that all the passwords for users and admin folk on most of the sites that we have done in silverstripe have stopped working...

    we suspect it is on sites that are pre ss2.4...

    we can reset no worries with the forgot password thing but a couple of the sites have a biggish number of useres etc...

    adios...

    nigel...

    2595 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.