trying to convert from yabb2.1 , now can't log in as admin

SleePy · October 09, 2008, 08:07:46 PM

Alright, I figured it out. Although it only works for versions of PHP 5 or higher. I have to see how I can get it to work with older versions of php though.

If you are using a version of php5 then I can simply show you how to edit your LogInOut.php so it can understand this password method

Which btw this is what I got to work:

Code Select


echo base64_encode(md5('password', true));

rkleemann · October 09, 2008, 09:06:05 PM

Quote from: SleePy on October 09, 2008, 08:07:46 PM
Alright, I figured it out. Although it only works for versions of PHP 5 or higher. I have to see how I can get it to work with older versions of php though.

If you are using a version of php5 then I can simply show you how to edit your LogInOut.php so it can understand this password method
Which btw this is what I got to work:
Code Select Expand
echo base64_encode(md5('password', true));

Awesome! I'll try it out since I do have PHP5. Let me know where to change it

SleePy · October 09, 2008, 09:17:36 PM

Alright,
well while I was waiting I found the php4 equivalent as well

But I will give you the php5 one as it is less complex.

Open LogInOut.php

Find:

Code Select

// Maybe they are using a hash from before the password fix.

Add before that:

Code Select

		// Yabb 2.1 hashed password?
		$other_passwords[] = base64_encode(md5($_REQUEST['passwrd']), true));

If you are using php4 that last line would be:

Code Select

$other_passwords[] = base64_encode(pack('H*', md5($_REQUEST['passwrd'])));
Not very fun trying to figure that out

Now if you enter your login details, it should let you in.

rkleemann · October 09, 2008, 09:24:18 PM

won't that get overwritten by the next line?

$other_passwords[] = sha1(strtolower($user_settings['memberName']) . addslashes(un_htmlspecialchars(stripslashes($_REQUEST['passwrd']))));

rkleemann · October 09, 2008, 10:06:29 PM

Anyway,

This is what happens... It doesn't give me the wrong password error, but it outputs this:

You can't retrieve your password, but you can set a new one by following a link sent to you by email. You also have the option of setting a new password by answering your secret question.

SleePy · October 10, 2008, 12:33:34 AM

No it won't be overridden. $other_passwords is an array. [] is being used to say set this as the next item in the array basically. SMF then checks to see if it found one of them in the array, If it can it knows to update the password.

How many times did you try to login? I know if you try to login to many times to soon SMF will give a fuss and try to keep you out (trying to prevent flooding).

rkleemann · October 10, 2008, 11:17:33 AM

Quote from: SleePy on October 10, 2008, 12:33:34 AM
No it won't be overridden. $other_passwords is an array. [] is being used to say set this as the next item in the array basically. SMF then checks to see if it found one of them in the array, If it can it knows to update the password.

How many times did you try to login? I know if you try to login to many times to soon SMF will give a fuss and try to keep you out (trying to prevent flooding).

Certainly over these past days it's been a good number of tries. Where is the number of tries info kept? Because I'm getting this behavior even if I clear out the smf_members and re-convert.

rkleemann · October 10, 2008, 12:30:23 PM

Quote from: SleePy on October 10, 2008, 12:33:34 AM
No it won't be overridden. $other_passwords is an array. [] is being used to say set this as the next item in the array basically. SMF then checks to see if it found one of them in the array, If it can it knows to update the password.

How many times did you try to login? I know if you try to login to many times to soon SMF will give a fuss and try to keep you out (trying to prevent flooding).

Ok, so I think that your fix still didn't quite work. I tried logging in as another user and it still gives me "Password Incorrect".

So in comparing the output of the new hashing technique with what's in the database showed some differences.

For example, one of the passwords in the database is "bfr1904" and in yabb21 it is "/f/hNRmNAHF/0EAM0nTYVQ".

However, when run through base64_encode(md5("bfr1904", true)) it yields "/f/hNRmNAHF/0EAM0nTYVQ==", so it has the extra "==" tacked on at the end.

SleePy · October 10, 2008, 03:22:49 PM

Try this for the code:

Code Select

$other_passwords[] = rtrim(base64_encode(md5($_REQUEST['passwrd']), true)), "=");

If we get this working. I am going to add it in the yabb file to work backwards from this so we won't need to edit the login file.

rkleemann · October 10, 2008, 06:54:56 PM

Well this just doesn't make sense...

Now that the password checking seems to be ok, I no longer get an error, but it simply just drops me to the login page as if I were not a registered user.

I just can't seem to make this work.

rkleemann · October 11, 2008, 07:17:23 PM

Ok so I started adding some debug.

What's happening now is that the password is matching. However the code just drops me back onto the login.

It gets all the way through the login, even up to the redirectexit, but then drops me back to the login.

So it DOES execute this line:
redirectexit('action=login2;sa=check;member=' . $ID_MEMBER, $context['server']['needs_login_fix']);

This is supposed to push me through to the boards, but I get dropped back to login.

What would cause this?

SleePy · October 13, 2008, 02:56:41 PM

Are you able to view posts and such fine?

I wonder if your server is not liking the ; at all.

rkleemann · October 13, 2008, 03:13:47 PM

Quote from: SleePy on October 13, 2008, 02:56:41 PM
Are you able to view posts and such fine?

I wonder if your server is not liking the ; at all.

Well, how would I view posts if I can't login? Remember, I'm still trying to convert from yabb21 and have never successfully logged in.

SleePy · October 14, 2008, 03:01:23 PM

I was hoping there would be some public posts you could see as a guest.

Are you sure you are being redirected to ?action=login on the forum and not the index page that is throwing up a login screen?
The check url you are being redirected to is to make sure cookies and your session exist. If it doesn't you get booted to the index. There is no way with the url like that, that you would go back to the login page.

rkleemann · October 14, 2008, 03:18:25 PM

Quote from: SleePy on October 14, 2008, 03:01:23 PM
I was hoping there would be some public posts you could see as a guest.

Are you sure you are being redirected to ?action=login on the forum and not the index page that is throwing up a login screen?
The check url you are being redirected to is to make sure cookies and your session exist. If it doesn't you get booted to the index. There is no way with the url like that, that you would go back to the login page.

What info can I provide you to help in this matter?

I can tell you for sure this line of code gets executed:
redirectexit('action=login2;sa=check;member=' . $ID_MEMBER, $context['server']['needs_login_fix']);

maintenance is set to 0 in Settings.php, and the only place in index.php that login2 seems to matter is when we're in maintenance mode.

What else can I look at?

SleePy · October 14, 2008, 03:22:28 PM

If you go to your board and the url has no ?action=xxx. Do you see a login page or a listing of categories and boards?

If you see a login page, then guest access is turned off on the forum. Which means it runs a kick guest function that gives you the login page.

rkleemann · October 14, 2008, 03:29:24 PM

Quote from: SleePy on October 14, 2008, 03:22:28 PM
If you go to your board and the url has no ?action=xxx. Do you see a login page or a listing of categories and boards?

If you see a login page, then guest access is turned off on the forum. Which means it runs a kick guest function that gives you the login page.

The original board did not have guest access, so I'm guessing this one doesn't either. I have to login to see the posts. If the password matches, why am I getting kicked back to the login?

SleePy · October 14, 2008, 04:03:01 PM

That would be because your session isn't being saved correctly.
Can you confirm that you are getting a cookie set in your browser?

If you are. Then I will need to get my laptop out to remember the name of the setting in the smf_settings table that tells it to use database driven sessions or not. It could be that it isn't using database driven sessions and it isn't saving that session right.

rkleemann · October 15, 2008, 12:24:55 AM

Quote from: SleePy on October 14, 2008, 04:03:01 PM
That would be because your session isn't being saved correctly.
Can you confirm that you are getting a cookie set in your browser?

If you are. Then I will need to get my laptop out to remember the name of the setting in the smf_settings table that tells it to use database driven sessions or not. It could be that it isn't using database driven sessions and it isn't saving that session right.

Ok, cookies are being set, but to me it doesn't look right. These are the cookies on the session:

lifetime => 0
path => /
domain =>
secure =>
httponly =>

looks like no meaningful data. There is data in the smf_sessions table, but I can't tell whether it's recent data or not.

SleePy · October 15, 2008, 11:55:40 AM

Go ahead and empty the smf_sessions table. This just contains information about any session. So removing it will not affect anything really.
Go to the smf_settings table. Search for "databaseSession_enable".
If this exists, make sure it is set to 1, if not, create this and set it to 1.

News:

trying to convert from yabb2.1 , now can't log in as admin