Topic: After changing password or resetpassword no log-in

[wwtg]

I upgraded from version 1.6.8 into 1.6.9
I noticed that the operators can log-in with the 'old' password, but if they update their password, or reset their password,
then it keeps saying "Entered login/password is incorrect"
The same for creating new operators.... The chosen password wont'work either...

I see in the database (MySQL 5.0.90, ) that the generated new vcpassword is much longer and a part of the Username is included...


Is it because of the .htaccess? I have only this
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

because the other instructions gives me internal server error 500.
Run Apache/2.0.58 (FreeBSD) PHP/5.2.8 with Suhosin-Patch mod_ssl/2.0.58 OpenSSL/0.9.7e-p1

Can someone help me?

[faf]

Your problem has nothing to do with .htaccess. You're using obsolete server software, so I suppose that there is something wrong with your crypt PHP function.

I'd recommend you to update your system.

The other way is to simplify the calculate_password_hash function in libs/operator.php, but it will weaken security (not to mention the fact that you'll have to manually patch every new release of Mibew).

[falcon]

I had exact problem with cookie cleaning + 20 times login tryes and session lost after browser closing.

So, we could not update php beacause of cpanel. New php will cause problems to hosting.
I have solved that problem with this code replacing in libs/operator.php:

Code: [Select]

function calculate_password_hash($login, $password)
{
$hash = '*0';

// if (CRYPT_BLOWFISH == 1) {
if (1 == 2) {
if (defined('PHP_VERSION_ID') && (PHP_VERSION_ID > 50306)) {
$hash = crypt($password, '$2y$08$' . $login);
$hash = crypt($password, '$2y$08$' . $login);
$hash = crypt($password, '$2y$08$' . $login);
}
else {
$hash = crypt($password, '$2a$08$' . $login);
$hash = crypt($password, '$2a$08$' . $login);
$hash = crypt($password, '$2a$08$' . $login);
}
        }

if ( (CRYPT_MD5 == 1) && !strcmp($hash, '*0') ) {
$hash = crypt($password, '$1$' . $login);
}

return strcmp($hash, '*0') ? $hash : md5($password);
}

I have disabled CRYPT_BLOWFISH and regenerated password hashes (changed/restored passwords to equal ones)
You can fully comment/delete first block from blowfish to md5 if because crypt generates different values.

Maybe, you can find better solution (:

[wwtg]

I installed the old version again, only on a different location and behind htacces password.
The new version runs on the website. Only changing passwords I do through the old version.

Its for the time beeing...
I have to change a lot before I use a new server with the latest php and FreeBSD.

But thank you for your help and suggestions.

[faf]

Just want you to know that the algorithm of password hashing was changed in version 1.6.6...