Non-admin user passwords seem to be changing.

SomethingOn · May 2014

I have had 2 users in the last weeks who's passwords have changed, without them changing them. I set it for them initially and when I changed it I noticed the saved hash changed. Is the password being rehashed on each login or something? Has anyone else seen this behaviour?

admin · May 2014

The password does get rehashed on each login. Is this using the latest version of FUEL?

SomethingOn · May 2014

v1.04

admin · May 2014

Hmm... we have ran into that issue a couple times without much luck in able to track it down or replicate the issue. We issued a potential fix in a Dec 23rd commit, however, this was before v1.4 which would seem that it's still potentially an issue. We haven't had the issue happen since that fix so we were hoping it was resolved. Are you able to replicate the issue at all or do you know what the users were doing right before (e.g. did they attempt to reset their password). And just to confirm, the salt field in the fuel_users table is 32 characters long correct? Below was the commit:
https://github.com/daylightstudio/FUEL-CMS/commit/080ec13468a111b7efad0da9697d7b68912e0fe5

SomethingOn · July 2014

It went away, but it's happening again

The user logged in on the 29th, but didn't make any changes, then when they tried to log in again on the 30th their password had changed.

Yes, the salt value for all users is 32 characters.

The code looks really straight-forward...but if updating the password/salt fails, the user won't be logged in. I added some extra logging to the Fuel_auth library to see if I can understand what's happening.

I have them using database sessions now because of another issue that seemed to be related to in memory sessions.

admin · July 2014

This one is a bit of a bugger and I've spent hours trying to recreate it with no luck. We'll continue to investigate when we have time but if you are able to find the culprit, we'd really appreciate sharing what you find out.

SomethingOn · July 2014

Will do

gogogarl · August 2014

Yeah, same issue I was having. The super admin account hasn't had any problems, just the other user. Has happened three times more since I posted.
http://forum.getfuelcms.com/discussion/1828/failed-login-correct-password#Item_3

admin · August 2014

The admin account never seems to have a problem for us either so perhaps that's an avenue to look at.

admin · August 2014

BTW... I've added some additional logging in the develop branch in the Fuel_auth::login method in case the update fails for some reason.

gogogarl · August 2014

This just happened to me three times in a row, while I was changing permissions between trying to log in (using Firefox for superadmin and Chrome for admin). Could be related somehow.

2014-08-05 11:18:22 	User 	Successful login by 'admin' from xxx.xx.xx.xx 	debug
2014-08-05 11:18:15 	Super Admin 	Password reset from CMS for 'admin' from xxx.xx.xx.xx 	debug
2014-08-05 11:18:15 	Super Admin 	Users item info@website.com edited 	info
2014-08-05 11:14:50 	  	Account lockout for 'admin' from xxx.xx.xx.xx 	debug
2014-08-05 11:14:42 	  	Failed login by 'admin' from xxx.xx.xx.xx, login attempts: 2 	debug
2014-08-05 11:14:14 	  	Failed login by 'admin' from xxx.xx.xx.xx, login attempts: 1 	debug
2014-08-05 11:13:35 	Super Admin 	Permissions item tools/search edited 	info
2014-08-05 11:13:19 	Super Admin 	Multiple permissions deleted 	info
2014-08-05 11:12:49 	Super Admin 	Users item info@website.com edited 	info
2014-08-05 11:12:16 	Super Admin 	Permissions item tools/search edited 	info
2014-08-05 11:11:41 	Super Admin 	Multiple permissions deleted 	info
2014-08-05 11:11:09 	Super Admin 	Password reset from CMS for 'admin' from xxx.xx.xx.xx 	debug
2014-08-05 11:11:09 	Super Admin 	Users item info@website.com edited 	info
2014-08-05 11:10:40 	  	Account lockout for 'admin' from xxx.xx.xx.xx 	debug
2014-08-05 11:10:27 	  	Failed login by 'admin' from xxx.xx.xx.xx, login attempts: 2 	debug
2014-08-05 11:09:43 	Super Admin 	Permissions item tools/search edited 	info
2014-08-05 11:09:17 	Super Admin 	Multiple permissions deleted 	info
2014-08-05 11:08:30 	Super Admin 	Password reset from CMS for 'admin' from xxx.xx.xx.xx 	debug
2014-08-05 11:08:30 	Super Admin 	Users item info@website.com edited 	info
2014-08-05 11:07:29 	  	Failed login by 'admin' from xxx.xx.xx.xx, login attempts: 1 	debug

admin · August 2014

Are you able to recreate the problem following similar steps?

gogogarl · August 2014

Yes I am! I made "test" permissions and added admin to "belongs to users."

2014-08-06 07:42:34 	  	Failed login by 'admin' from xxx.xx.xx.xx, login attempts: 1 	debug
2014-08-06 07:42:19 	Super Admin 	Permissions item test edited 	info
2014-08-06 07:41:46 	Super Admin 	Successful login by 'superadmin' from xxx.xx.xx.xx 	debug
2014-08-06 07:41:21 	User Admin 	Successful login by 'admin' from xxx.xx.xx.xx 	debug

admin · August 2014

Excellent!!!... I see the problem and have posted a fix to the develop branch for you to test out. Thanks for your help in uncovering that.

gogogarl · August 2014

Woo! And thank you for fixing it.

2014-08-06 14:34:56 	User Admin 	Successful login by 'admin' from xxx.xx.xx.xx 	debug
2014-08-06 14:34:22 	Super Admin 	Permissions item test edited 	info
2014-08-06 14:34:06 	User Admin 	Successful login by 'admin' from xxx.xx.xx.xx 	debug
2014-08-06 14:33:47 	Super Admin 	Successful login by 'superadmin' from xxx.xx.xx.xx 	debug

admin · August 2014

We spent a ton a time trying to figure out the problem and figured it was in that hook somewhere but we weren't able to identify what was triggering it so we couldn't really test it. So much easier when it's reproducible.

Howdy, Stranger!

Categories

Non-admin user passwords seem to be changing.

Comments