SMF Version: SMF 1.1 RC2
Hi,
I just installed SMF 1.1 RC2 and came across a login problem also described in this thread: http://www.simplemachines.org/community/index.php?topic=67950.0 (http://www.simplemachines.org/community/index.php?topic=67950.0). I found a workaround but I'd rather have a real solution.
The problem is: when I login, I get the error message "password incorrect". Below it is the login form so you can try again. On the second try, login succeeds. As Sean-Khan pointed out in the thread I mentioned earlier, there is a difference between the first and the second login form. The first form contains
onsubmit="hashLoginPassword(this,...);"
in the <form> tag. In the second login form, there is no onSubmit attribute. This is what makes the difference between succes and failure. I tried this in multiple browsers, all showed the same behaviour.
Of course I don't want to tell all users that this is 'just the way it works'. I found a workaround which disables password hashing the first time as well. In index.template.php, on line 273, after // Otherwise they're a guest - this time ask them to either register or login - lazy bums...
else
{ I added
$context['disable_login_hashing'] = true;
I seems to work perfectly... but purpose of hashing is not disabling it, is it? Hopefully someone knows a true solution to this issue. I know very little about password hashing so all thoughts are more than welcome. Thanks!
OK, I think I got some more answers.
Sean-Khan just PMed me that in his case the problem went away when he moved to another server. Then I found out that my host is running php 4.2.3, but the sha1 encryption used by SMF is only available in php 4.3.0 and higher... (My goodness :o Php 4.2.3 was released 6 September 2002! What have they been doing?)
By the way: the system requirements on http://www.simplemachines.org/download/requirements.php say "PHP 4.1.0 or higher". Can this be considered correct when it results in these errors? (Or, put differently: what are the definitions of 'required' and 'recommended'?)
I've been having these problems, too. I just checked the php version on the server and it was 4.2.2. I will talk to the admin and see if I can get it upgraded (and if that fixes the problem).
Lainaus käyttäjältä: jitspoe - maaliskuu 15, 2006, 05:02:12 AP
I will talk to the admin and see if I can get it upgraded (and if that fixes the problem).
Good luck convincing your admin to upgrade :-\ If that does fix the problem, please let us know.
Well, fortunately I actually know my admin. He's going to try to update it this weekend. With my current streak of luck, though, I fear it will entirely break the forums all together.
I have the same problem, though the server is running PHP 4.4.1.
The difference is I change the character encoding of HTML page to utf8.
And everytime I have a username with accentuated letters or Japanese character and so on.
The login hash failed. So to fix it I made the same work around patch:
<?php
#[...]
else
{
// Set to true, cause there is trouble with unicode character in login.
$context['disable_login_hashing'] = true;
echo '<script language="JavaScript" type="text/javascript".....';
#[...]
?>
But I don't like to much that kind of patch... So is there a better solution?
another problem because of sha1 hash and utf-8 is in the javascript function:
function hashAdminPassword(doForm, username, cur_session_id)
{
// Compatibility.
if (cur_session_id == null)
cur_session_id = smf_session_id;
if (typeof(hex_sha1) == "undefined")
return;
doForm.admin_hash_pass.value = hex_sha1(hex_sha1(username.toLowerCase() +
doForm.admin_pass.value) + cur_session_id);
doForm.admin_pass.value = doForm.admin_pass.value.replace(/./g, "*");
}
It causes administrator with special character to be unable to confirm password.
(If javascript is enable)
So I can't spend to much time to study smf code. So I just use a workaround again >:(
in the function template_admin_login in Login.template.php
I changed the line :
<form action="', $scripturl, $context['get_data'], '" method="post" name="frmLogin" id="frmLogin"
onsubmit="hashAdminPassword(this, \'', $context['user']['username'], '\', \'', $context['session_id'], '\');">
by
<form action="', $scripturl, $context['get_data'], '" method="post" name="frmLogin" id="frmLogin">
Note: By the way it's quite useless, I think, to do part of security in javascript. Cause all users can deacivate the javascript and by pass that protection.
So is there a solution to this problem or not?
Some notes in this post (http://www.simplemachines.org/community/index.php?topic=95019.msg681763#msg681763)