Advertisement:

Author Topic: $_POST['passwrd'] blank after login  (Read 614 times)

Offline dorje77

  • Semi-Newbie
  • *
  • Posts: 43
  • Gender: Male
    • Community artistimarziali.org
$_POST['passwrd'] blank after login
« on: December 06, 2017, 03:02:08 AM »
Hi!
I'm using SMF2WPBridge and it worked (I found out 2 users created by the bridge in WP). Today I saw a new user in WP without password and I decided to start a debug. I deleted (in WP) a fake user that I've tested days ago with the bridge (and that has been created without problems in WP). Then I tried to log in again in SMF, but this doesn't create user in WP.
Debugging step-by-step the plugin, I found that it stops here:
Code: [Select]
} else if (!empty($_POST['passwrd'])) {
In fact, the value is empty - so the plugin doesn't trigger the user creation stuff.

Any ideas? :)
Knowledge is power.
Power corrupts.
Therefore, knowledge corrupts.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,041
    • Arantor on GitHub
Re: $_POST['passwrd'] blank after login
« Reply #1 on: December 06, 2017, 04:18:52 AM »
The password is invariably taken away and replaced with an encrypted version during login.

I'd personally do it via the integration hooks, e.g. the one for user login, to test if the user exists on the WP side.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline dorje77

  • Semi-Newbie
  • *
  • Posts: 43
  • Gender: Male
    • Community artistimarziali.org
Re: $_POST['passwrd'] blank after login
« Reply #2 on: December 06, 2017, 05:26:03 AM »

The password is invariably taken away and replaced with an encrypted version during login.

I suspected something like this. What I really don't understand is: how the hell were other users created in WP, if the password is invariably taken away before triggering code of SMF2WPbridge?

I'd personally do it via the integration hooks, e.g. the one for user login, to test if the user exists on the WP side.

Yes, this is how the plugin actually works.
Knowledge is power.
Power corrupts.
Therefore, knowledge corrupts.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,041
    • Arantor on GitHub
Re: $_POST['passwrd'] blank after login
« Reply #3 on: December 06, 2017, 06:17:16 AM »
...still not sure why you need the actual password. I'd argue WP should be deferring checking password to SMF or vice versa.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline dorje77

  • Semi-Newbie
  • *
  • Posts: 43
  • Gender: Male
    • Community artistimarziali.org
Re: $_POST['passwrd'] blank after login
« Reply #4 on: December 06, 2017, 07:11:54 AM »
...still not sure why you need the actual password. I'd argue WP should be deferring checking password to SMF or vice versa.

The plugin uses (includes) wp scripts "saveged" from wp installation path to create users, if they are  not found in wp.

The $_POST['passwrd'] value is used as argument in wp_create_user function, as is.

The strange thing is that this value was not empty some days ago... Users were created without problem.

I only changed thigs in my tamplate - but I didn't see login - related parts.
Knowledge is power.
Power corrupts.
Therefore, knowledge corrupts.

Offline dorje77

  • Semi-Newbie
  • *
  • Posts: 43
  • Gender: Male
    • Community artistimarziali.org
Re: $_POST['passwrd'] blank after login
« Reply #5 on: December 06, 2017, 08:32:05 AM »
Forcing

Code: [Select]
$context['disable_login_hashing'] = true;

solved that... I wonder if there are problems with this kind of workaround?
Knowledge is power.
Power corrupts.
Therefore, knowledge corrupts.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,106
  • Gender: Male
    • Kindred-999 on GitHub
Re: $_POST['passwrd'] blank after login
« Reply #6 on: December 06, 2017, 01:59:19 PM »
 it is distinctly insecure?
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,041
    • Arantor on GitHub
Re: $_POST['passwrd'] blank after login
« Reply #7 on: December 06, 2017, 05:47:12 PM »
it is distinctly insecure?

Only if you're still using HTTP.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline dorje77

  • Semi-Newbie
  • *
  • Posts: 43
  • Gender: Male
    • Community artistimarziali.org
Re: $_POST['passwrd'] blank after login
« Reply #8 on: December 07, 2017, 12:19:25 AM »
Only if you're still using HTTP.

Well, just implemented ssl a week ago!  :D

Thank you for brainstorming. :)
Knowledge is power.
Power corrupts.
Therefore, knowledge corrupts.