Non-admin user passwords seem to be changing.

edited May 2014 in Bug Reports
I have had 2 users in the last weeks who's passwords have changed, without them changing them. I set it for them initially and when I changed it I noticed the saved hash changed. Is the password being rehashed on each login or something? Has anyone else seen this behaviour?

Comments

  • edited 12:48PM
    The password does get rehashed on each login. Is this using the latest version of FUEL?
  • edited 12:48PM
    v1.04
  • edited 12:48PM
    Hmm... we have ran into that issue a couple times without much luck in able to track it down or replicate the issue. We issued a potential fix in a Dec 23rd commit, however, this was before v1.4 which would seem that it's still potentially an issue. We haven't had the issue happen since that fix so we were hoping it was resolved. Are you able to replicate the issue at all or do you know what the users were doing right before (e.g. did they attempt to reset their password). And just to confirm, the salt field in the fuel_users table is 32 characters long correct? Below was the commit:
    https://github.com/daylightstudio/FUEL-CMS/commit/080ec13468a111b7efad0da9697d7b68912e0fe5
  • edited July 2014
    It went away, but it's happening again :(

    The user logged in on the 29th, but didn't make any changes, then when they tried to log in again on the 30th their password had changed.

    Yes, the salt value for all users is 32 characters.

    The code looks really straight-forward...but if updating the password/salt fails, the user won't be logged in. I added some extra logging to the Fuel_auth library to see if I can understand what's happening.

    I have them using database sessions now because of another issue that seemed to be related to in memory sessions.
  • edited July 2014
    This one is a bit of a bugger and I've spent hours trying to recreate it with no luck. We'll continue to investigate when we have time but if you are able to find the culprit, we'd really appreciate sharing what you find out.
  • edited 12:48PM
    Will do
  • edited August 2014
    Yeah, same issue I was having. The super admin account hasn't had any problems, just the other user. Has happened three times more since I posted.
    http://forum.getfuelcms.com/discussion/1828/failed-login-correct-password#Item_3
  • edited 12:48PM
    The admin account never seems to have a problem for us either so perhaps that's an avenue to look at.
  • edited 12:48PM
    BTW... I've added some additional logging in the develop branch in the Fuel_auth::login method in case the update fails for some reason.
  • edited August 2014
    This just happened to me three times in a row, while I was changing permissions between trying to log in (using Firefox for superadmin and Chrome for admin). Could be related somehow.
    2014-08-05 11:18:22 User Successful login by 'admin' from xxx.xx.xx.xx debug 2014-08-05 11:18:15 Super Admin Password reset from CMS for 'admin' from xxx.xx.xx.xx debug 2014-08-05 11:18:15 Super Admin Users item info@website.com edited info 2014-08-05 11:14:50 Account lockout for 'admin' from xxx.xx.xx.xx debug 2014-08-05 11:14:42 Failed login by 'admin' from xxx.xx.xx.xx, login attempts: 2 debug 2014-08-05 11:14:14 Failed login by 'admin' from xxx.xx.xx.xx, login attempts: 1 debug 2014-08-05 11:13:35 Super Admin Permissions item tools/search edited info 2014-08-05 11:13:19 Super Admin Multiple permissions deleted info 2014-08-05 11:12:49 Super Admin Users item info@website.com edited info 2014-08-05 11:12:16 Super Admin Permissions item tools/search edited info 2014-08-05 11:11:41 Super Admin Multiple permissions deleted info 2014-08-05 11:11:09 Super Admin Password reset from CMS for 'admin' from xxx.xx.xx.xx debug 2014-08-05 11:11:09 Super Admin Users item info@website.com edited info 2014-08-05 11:10:40 Account lockout for 'admin' from xxx.xx.xx.xx debug 2014-08-05 11:10:27 Failed login by 'admin' from xxx.xx.xx.xx, login attempts: 2 debug 2014-08-05 11:09:43 Super Admin Permissions item tools/search edited info 2014-08-05 11:09:17 Super Admin Multiple permissions deleted info 2014-08-05 11:08:30 Super Admin Password reset from CMS for 'admin' from xxx.xx.xx.xx debug 2014-08-05 11:08:30 Super Admin Users item info@website.com edited info 2014-08-05 11:07:29 Failed login by 'admin' from xxx.xx.xx.xx, login attempts: 1 debug
  • edited 12:48PM
    Are you able to recreate the problem following similar steps?
  • edited August 2014
    Yes I am! I made "test" permissions and added admin to "belongs to users."

    2014-08-06 07:42:34 Failed login by 'admin' from xxx.xx.xx.xx, login attempts: 1 debug 2014-08-06 07:42:19 Super Admin Permissions item test edited info 2014-08-06 07:41:46 Super Admin Successful login by 'superadmin' from xxx.xx.xx.xx debug 2014-08-06 07:41:21 User Admin Successful login by 'admin' from xxx.xx.xx.xx debug
  • edited 12:48PM
    Excellent!!!... I see the problem and have posted a fix to the develop branch for you to test out. Thanks for your help in uncovering that.
  • edited August 2014
    Woo! And thank you for fixing it. :)

    2014-08-06 14:34:56 User Admin Successful login by 'admin' from xxx.xx.xx.xx debug 2014-08-06 14:34:22 Super Admin Permissions item test edited info 2014-08-06 14:34:06 User Admin Successful login by 'admin' from xxx.xx.xx.xx debug 2014-08-06 14:33:47 Super Admin Successful login by 'superadmin' from xxx.xx.xx.xx debug
  • edited 12:48PM
    We spent a ton a time trying to figure out the problem and figured it was in that hook somewhere but we weren't able to identify what was triggering it so we couldn't really test it. So much easier when it's reproducible.
Sign In or Register to comment.