Issue with password
-
Hello
I tried your plugin for a client and now i have issues with wordpress passwords of all users.
After validated the absolute path for the config.php, WP log me out and only way to login was to create a new password.
Any help please
-
All password, as explained on installation guide, are hashed in phpBB way on WordPress, once the integration start.
But the installer user, that already exists also in phpBB, just need to use the phpBB pass to login. Should not be required to reset the pass.
So once the plugin is uninstalled, WP users (not phpBB users) have to reset their password in order to login WP, because without the plugin, WP will not recognize the password hash.
Once integration start, it is mandatory to transfer WP users in phpBB, and they are transferred with their WP pass: in this case, this transferred user if go to login in phpBB side, then will need to reset the pass one time, or phpBB will not recognize the WP pass when user try to login in phpBB, for the same reason (different hashes).
We could add an option, to not use this way, and let passwords as they are hashed in WP: but in this case, you’ll need to exclude users to access the phpBB ucp or to reset their pass in phpBB, but just in WP, or the joke will not work. It could be very easy to achieve, but will require to edit almost a file in phpBB.
Existent and new phpBB users instead, will be able to login with their pass both on phpBB/wordpress once the integration end.
Transferred WP users in phpBB, until they not change their pass in WP, as said above, will not have changed their pass in WP until they not update it one time, and will be able to login in WP side (but not phpBB side, as logic it is if my explain is quite clear).
Hope the fact that an user need to reset the pass to login, isn’t a big problem.
I understand partially (as english is not my native language) and i am afraid it’s a bit too complicated for my client.
Unfortunatly now if i disable your plugin, all wp users will have to reset their password in order to login. Is there a sql query i could use in order to restore wp users password? without the need to individually reset their password by themself?
Thank you
all wp users will have to reset their password
only WP transferred users that have reset their password, and all WP users added/registered after the integration start will have to reset the password.
So maybe not all WP users have to reset the pass when integration end in order to login in WP, because they may have not change the pass in WP or phpBB.
The problem to this solution, if you do not want WP users reset their password, is to continue to check the pass against the bcript library, filtering the
wp_check_password function
like the plugin do: check pass against wp hash format, if match validate login, if not match, check against bcript, if match validate login.
The very little plugin (two files and few fast lines) could be produced in few steps.This is the code on wp_w3all.php file about this:
if ( ! function_exists( 'wp_check_password' ) && ! defined("WPW3ALL_NOT_ULINKED") ) : function wp_check_password($password, $hash, $user_id) { global $wp_hasher; if( $user_id < 1 ){ return; } $is_phpbb_admin = ( $user_id == 1 ) ? 1 : 0; // switch for phpBB admin // 1 admin 0 all others $wpu = get_user_by( 'ID', $user_id ); $changed = WP_w3all_phpbb::check_phpbb_passw_match_on_wp_auth($wpu->user_login, $is_phpbb_admin); if ( $changed !== false ){ $hash = $changed; } // If the hash is still md5... if ( strlen($hash) <= 32 ) { $check = hash_equals( $hash, md5( $password ) ); //if ( $check && $user_id ) { // Rehash using new hash. // wp_set_password($password, $user_id); // $hash = wp_hash_password($password); //} } if ( !isset($check) OR $check !== true ){ // md5 check failed or not fired above ... // new style phpass portable hash. if ( empty($wp_hasher) ) { require_once( ABSPATH . WPINC . '/class-phpass.php'); // By default, use the portable hash from phpass $wp_hasher = new PasswordHash(8, true); } $password = trim($password); $check = $wp_hasher->CheckPassword($password, $hash); // WP check } if ($check !== true && strlen($hash) > 32){ // Wp check failed ... check that isn't an md5 at this point before to follow or get PHP Fatal error in ... addons/bcrypt/bcrypt.php:111 require_once( WPW3ALL_PLUGIN_DIR . 'addons/bcrypt/bcrypt.php'); $password = htmlspecialchars(utf8_encode($password)); $ck = new w3_Bcrypt(); $check = $ck->checkPassword($password, $hash); } if ($check === true){ if($wpu){ $phpBB_user_session_set = WP_w3all_phpbb::phpBB_user_session_set_res($wpu); } else { add_action('wp_login', 'wp_w3all_phpbb_login', 10, 2); } } return apply_filters( 'check_password', $check, $password, $hash, $user_id ); } endif;Can be modified with easy and adapted, but here it may depend what easy mean.
Unfortunately there is no way to recognize an hash format, against another hash format.p.s: on remember about this and little out of line, i’ve experience that if passwords aren’t containing special chars, both hashes are recognized by bcript and phpass (the lib used by WP to hash passwords) but this behavior nobody have never explain to me why.
[EDITED]
The topic ‘Issue with password’ is closed to new replies.
