login issue

After installing this mod -

[www.phorum.org]

-I find that some users are having trouble loggin in - it says the the user/password cannot be found. I assume this is because the cookie has been altered by the new mod, but I'm not sure.

If I go into the Admin panel and change the username there, it then works.

I am wondering how many users this may have affected that won't find out until they log out and then try to log back in, is there a way I can log everyone out by invalidating the cookie, or resolve the issue another way?

EDIT: I see the author of the mod is reporting the same issue:
[www.phorum.org]



Edited 1 time(s). Last edit at 08/23/2006 05:43AM by M@AATW.

Hey,
that's odd, I hadn't thought that my module causes these problems...
Maybe someone could take a look at the sourcecode if there are any problems?

Greetings,
Clemens

--
Clemens Weiß
Webplain.de

I think your update-script ( [www.phorum.org] ) is the problem.

you have that code in there:

        $user = phorum_user_get($rec["user_id"], false);
        if (!isset($user["mod_rating"]["posCount"])) $user["mod_rating"]["posCount"] = 0;
        if (!isset($user["mod_rating"]["negCount"])) $user["mod_rating"]["negCount"] = 0;
        $user["mod_rating"]["posCount"] += $meta["mod_rating"]["posCount"];
        $user["mod_rating"]["negCount"] += $meta["mod_rating"]["negCount"];
        phorum_user_save($user);

but phorum_user_save should only get the fields needing to be changed.
It calls phorum_user_prepare_data which does

            case "password":
            case "password_temp":
                if ( !$pwd_unchanged ) {
                    $user[$key] = md5( $val );
                } elseif ( $pwd_unchanged == -1 ) {
                    $user[$key] = $val;
                }
                break;

which means that your already md5-encoded passwords are md5-encoded again.
which leads to all users passwords being invalid.

I guess your problem here
[www.phorum.org]
is coming from the same issue (maybe even the same script?).

---

Thomas Seifert



Edited 1 time(s). Last edit at 08/23/2006 05:57AM by ts77.

OK, I'll upload new versions.
So it affects all users that have been rated.
You should change your code examples in creating_mods.txt (2.5 Storing user data)...

Greetings,
Clemens

--
Clemens Weiß
Webplain.de

So...will running the new script solve the problem for all those that were effected, even if they haven't logged out?

no, their password is broken.

---

Thomas Seifert

No.
Only changing the user's password will solve the problem. I'm sorry...
I wrote an announcement in my forum and included the link in the error message, the user receives.

--
Clemens Weiß
Webplain.de

o.k. but the only ones affected should be those who had a rating before the update script was run?

Unfortunately not. I used the same code in the module, too.
So all users, that are rated before you install the newest version will have that problem.

--
Clemens Weiß
Webplain.de

So there are actually people that read the docs? :-) Sorry for the wrong information in there. I updated the documentation in both the 5.1 and the 5.2 tree. See changesets changeset [1280] and changeset [1279] respectively.

Additionally, I will check if we can prevent this problem from happening in case others use the save function in the same way. I guess we could check if the password in the data already looks like the MD5 data in the database and not update it if this is the case. I think that the event where a user chooses a new password that exactly matches the MD5 sum of the previous password can be considered a quite rare event ;-)

Quote
M@AATW
So...will running the new script solve the problem for all those that were effected, even if they haven't logged out?

I am afraid that for those users you will have to reset the passwords. The problem is that the password information in the database was crippled and there's no way back from that. The only way would be if you had a backup of the data before the problem occurred, so you could fetch the password fields from that backup and put it in the running system.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

hmmm....thanks I suppose for that you would have to know exactly who has been affected in this way, which I couldn't tell offhand.

It should only be a very small number of users, say of the 2100 registered user that I had, only maybe 20 had ratings through this mod.

users having problems to login should simply request a new password on the login-form.
the generated password there will work.

---

Thomas Seifert

Quote
Maurice
Additionally, I will check if we can prevent this problem from happening in case others use the save function in the same way.

Changeset [1282] implements a safety check that will prevent the password data from being updated in case the "new" password in the data matches the existing MD5 encrypted password for the user.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce