- Posts: 21
When requesting help please provide as much information as possible. Explain what version of webtrees, PHP and MYSQL you are using. If possible provide a URL to your site so we can see the problem first-hand.
Tip: Think about putting these details in your signature, so it appears in the footer of ALL your messages
Question unable to authenticate user
- Norm
- Topic Author
- Offline
- New Member
I have been successfully using webtrees v1.0.6 locally to maintain my genealogical info. After upgrading to the latest version (1.1.2) I receive "unable to authenticate user" when trying to log in after the initial session.
I reinstalled multiple times to no avail. If I use phpMyAdmin to paste the "ChangeMe" hash into wt_user.password as per ToyGuy in this thread I can log in but if I change the password using My Page->My Account the next attempt to log in fails.
My system:
PHP 5.3.6-11
Mysql 5.1.57-1 (Debian)
Apache/2.2.19 (Debian)
I'd appreciate some help.
Thanks,
Norm
Norm
Debian Sid
PHP 7.0.14-2
Mysql 5.7.16-1 (Debian)
Apache/2.4.25 (Debian)
Please Log in or Create an account to join the conversation.
- fisharebest
- Offline
- Administrator
Does it work if you choose a password containing just alpha-numerics?
Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net
Please Log in or Create an account to join the conversation.
- Norm
- Topic Author
- Offline
- New Member
- Posts: 21
Thanks for the reply!
EDIT: Don't know whether this will help or not but "changeme" hashes to: $6$riNAD2xN$H8X6CmQqAF/WCnjjI6felqJ2e8os7vH.m1oXGNrZXU1dFiAna9iT
Norm
Debian Sid
PHP 7.0.14-2
Mysql 5.7.16-1 (Debian)
Apache/2.4.25 (Debian)
Please Log in or Create an account to join the conversation.
- fisharebest
- Offline
- Administrator
What happens if you use the "forgotten password" feature, and let webtrees generate a password and e-mail it to you?
Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net
Please Log in or Create an account to join the conversation.
- Norm
- Topic Author
- Offline
- New Member
- Posts: 21
I haven't used php much, but I took a peek at your source and tried this:
My wt_user.password field contains a 98 character string after setting/changing the password.
From the php5 docs here :
I'm running Debian unstable. Could my system be choosing the wrong hash?Some operating systems support more than one type of hash. In fact, sometimes the standard DES-based algorithm is replaced by an MD5-based algorithm. The hash type is triggered by the salt argument.
Norm
Debian Sid
PHP 7.0.14-2
Mysql 5.7.16-1 (Debian)
Apache/2.4.25 (Debian)
Please Log in or Create an account to join the conversation.
- fisharebest
- Offline
- Administrator
$1 = MD5
$2 = Blowfish - anything with fish in the name must be good
$5 = SHA256
$6 = SHA512
I guess it is possible that your PHP upgrade changed the crypt function. Do the existing values in the database have a different prefix?
Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net
Please Log in or Create an account to join the conversation.
- Norm
- Topic Author
- Offline
- New Member
- Posts: 21
Anyway, just piddling around I got v1.1.2 to work by changing the following:
EDIT: From the Debian php5 package changelog:
For now that change only affects Debian unstable but it will eventually percolate down to the testing and stable distros, thus affecting any Debian LAMP set ups out there.php5 (5.3.6-1) unstable; urgency=low
. . .
* Fix regression with missing CRYPT_SALT_LENGTH (Closes: #603012)
* Generate SHA512 salt string when provided salt is null (Closes: #581170)
. . .
Norm
Debian Sid
PHP 7.0.14-2
Mysql 5.7.16-1 (Debian)
Apache/2.4.25 (Debian)
Please Log in or Create an account to join the conversation.
- fisharebest
- Offline
- Administrator
Firstly, by using the same salt every time, you removing all the benefits of having a salt.
Secondly, by specifying a two-charater salt, you are forcing crypt() to choose the weakest algorithm available.
<<I didn't know what to do with the line in login_register.php, since crypt() already has a second parameter>>
Nothing. You call crypt() with one parameter when you are generating a password hash, and you call it with two parameters when you are validating an existing password hash.
FYI, I've just tidied up the code a little, so that we only generate password hashes in one place. (Actually two places - the setup wizard needs its own.)
<<I'm running Debian unstable>>
If you want to code a workaround for this bug, you should generate a random salt of the correct format - for whichever algorithm you prefer. php.net/crypt has further details.
Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net
Please Log in or Create an account to join the conversation.
- Norm
- Topic Author
- Offline
- New Member
- Posts: 21
I think I have gotten to the bottom of my problem.
As I mentioned above, on my Debian Sid system php::crypt() returns a 98 byte string. Since wt_user.password is a varchar(64) field the following statement in check_user_password() always returns false because the field lengths are different:
Sorry for all of the “noise” above, as an autodidact I do a lot of flailing around.
Norm
Debian Sid
PHP 7.0.14-2
Mysql 5.7.16-1 (Debian)
Apache/2.4.25 (Debian)
Please Log in or Create an account to join the conversation.
- fisharebest
- Offline
- Administrator
Don't apologise - this is not "noise". The password field is too small, and this is a bug. I've updated the code - when you upgrade to 1.1.3, it will increase the size of this column to 128 characters.
Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net
Please Log in or Create an account to join the conversation.