hashLoginPassword problem & only half a solution

marcvangend · maaliskuu 14, 2006, 08:28:25 AP

SMF Version: SMF 1.1 RC2
Hi,

I just installed SMF 1.1 RC2 and came across a login problem also described in this thread: http://www.simplemachines.org/community/index.php?topic=67950.0. I found a workaround but I'd rather have a real solution.

The problem is: when I login, I get the error message "password incorrect". Below it is the login form so you can try again. On the second try, login succeeds. As Sean-Khan pointed out in the thread I mentioned earlier, there is a difference between the first and the second login form. The first form contains

Koodi [Valitse]

onsubmit="hashLoginPassword(this,...);"
in the <form> tag. In the second login form, there is no onSubmit attribute. This is what makes the difference between succes and failure. I tried this in multiple browsers, all showed the same behaviour.

Of course I don't want to tell all users that this is 'just the way it works'. I found a workaround which disables password hashing the first time as well. In index.template.php, on line 273, after

Koodi [Valitse]

// Otherwise they're a guest - this time ask them to either register or login - lazy bums...
	else
	{

I added

Koodi [Valitse]

$context['disable_login_hashing'] = true;

I seems to work perfectly... but purpose of hashing is not disabling it, is it? Hopefully someone knows a true solution to this issue. I know very little about password hashing so all thoughts are more than welcome. Thanks!

marcvangend · maaliskuu 14, 2006, 10:14:45 AP

OK, I think I got some more answers.

Sean-Khan just PMed me that in his case the problem went away when he moved to another server. Then I found out that my host is running php 4.2.3, but the sha1 encryption used by SMF is only available in php 4.3.0 and higher... (My goodness Php 4.2.3 was released 6 September 2002! What have they been doing?)

By the way: the system requirements on http://www.simplemachines.org/download/requirements.php say "PHP 4.1.0 or higher". Can this be considered correct when it results in these errors? (Or, put differently: what are the definitions of 'required' and 'recommended'?)

jitspoe · maaliskuu 15, 2006, 05:02:12 AP

I've been having these problems, too. I just checked the php version on the server and it was 4.2.2. I will talk to the admin and see if I can get it upgraded (and if that fixes the problem).

marcvangend · maaliskuu 15, 2006, 05:27:43 AP

Lainaus käyttäjältä: jitspoe - maaliskuu 15, 2006, 05:02:12 AP
I will talk to the admin and see if I can get it upgraded (and if that fixes the problem).

Good luck convincing your admin to upgrade $:-\$ If that does fix the problem, please let us know.

jitspoe · maaliskuu 15, 2006, 02:59:46 IP

Well, fortunately I actually know my admin. He's going to try to update it this weekend. With my current streak of luck, though, I fear it will entirely break the forums all together.

Sébastien · toukokuu 18, 2006, 12:52:44 AP

I have the same problem, though the server is running PHP 4.4.1.
The difference is I change the character encoding of HTML page to utf8.
And everytime I have a username with accentuated letters or Japanese character and so on.
The login hash failed. So to fix it I made the same work around patch:

Koodi (php) [Valitse]


<?php
#[...]
else
{
 // Set to true, cause there is trouble with unicode character in login.
 $context['disable_login_hashing'] = true;
 echo '<script language="JavaScript" type="text/javascript".....';
#[...]
?>

But I don't like to much that kind of patch... So is there a better solution?

Sébastien · toukokuu 22, 2006, 03:38:32 AP

another problem because of sha1 hash and utf-8 is in the javascript function:

Koodi (javascript) [Valitse]


function hashAdminPassword(doForm, username, cur_session_id)
{
 // Compatibility.
 if (cur_session_id == null)
  cur_session_id = smf_session_id;

 if (typeof(hex_sha1) == "undefined")
  return;

 doForm.admin_hash_pass.value = hex_sha1(hex_sha1(username.toLowerCase() + 
doForm.admin_pass.value) + cur_session_id);
 doForm.admin_pass.value = doForm.admin_pass.value.replace(/./g, "*");
}

It causes administrator with special character to be unable to confirm password.
(If javascript is enable)
So I can't spend to much time to study smf code. So I just use a workaround again

in the function template_admin_login in Login.template.php

I changed the line :

Koodi [Valitse]

<form action="', $scripturl, $context['get_data'], '" method="post" name="frmLogin" id="frmLogin"
onsubmit="hashAdminPassword(this, \'', $context['user']['username'], '\', \'', $context['session_id'], '\');">

by

Koodi [Valitse]

<form action="', $scripturl, $context['get_data'], '" method="post" name="frmLogin" id="frmLogin">

Note: By the way it's quite useless, I think, to do part of security in javascript. Cause all users can deacivate the javascript and by pass that protection.

jdougher · elokuu 12, 2006, 10:22:53 IP

So is there a solution to this problem or not?

青山素子 · elokuu 13, 2006, 11:28:00 IP

Some notes in this post

Simple Machines Community Forum

Uutiset: