Due to the way that php-fusion has changed the password encryption in v6.01.12 onwards, get_session_vars.php will no longer load the user data and all users will be automatically logged out as soon as they enter the site.
This is due to this query:
"SELECT * FROM ("._AUTHORTABLE.", ".TABLEPREFIX."fanfiction_authorprefs as ap) WHERE "._UIDFIELD." = '$cookie_1' AND "._PASSWORDFIELD." ='$cookie_2' AND "._UIDFIELD." = ap.uid"
It lists a password field, but the passwords are now stored differently, so the query will never succeed.
I have removed the password check:
"SELECT * FROM ("._AUTHORTABLE.", ".TABLEPREFIX."fanfiction_authorprefs as ap) WHERE "._UIDFIELD." = '$cookie_1' AND "._UIDFIELD." = ap.uid"
and things return back to normal. However, this is removing quite a important check... is there a way to fix this up so it will work correctly?
Try logging into your admin account with the wrong password. If that works, you should let your site be broken rather than remove the check because that would mean anyone could log in as you and do some serious damage to your site.
Due to the password encrypting differences, I can't even log on through eFiction with the right or wrong password. I think the entire login process with eFiction alone with the bridge is in place is going to have to be eliminated... it doesn't bother me to do that - php-fusion is the main entry into my site.
My concern is why a password check was implemented in the first place - is there a way to log in without using the log in process without it ?
If there is, could somebody please give me a hint on how to fix this please ?
Developer tools in FF and other browsers can be used to change cookie information. You want to always check the password so someone doesn't change their cookie user_id from ### (a regular user) to 1 (the initial superadmin user).
Your problem is most likely in login.php not get_session_vars.php.
Change.
$encryptedpassword = md5($_POST['password']);
to
$encryptedpassword = md5(md5($_POST['password']));
Not tested. I don't have a v6.0.12+ site up right now that doesn't have a modified login.
No, that doesn't work. π
However! It led me onto the right track! π
By checking the setuser.php in php-fusion, it was doing almost exactly the same thing as get_session_vars.php - bar one thing.
change this line:
$cookie_2 = (preg_match("/^[0-9a-z]{32}$/", $cookie_vars['1']) ? $cookie_vars['1'] : "");
to this:
$cookie_2 = md5((preg_match("/^[0-9a-z]{32}$/", $cookie_vars['1']) ? $cookie_vars['1'] : ""));
and everything works as it should be.
Thanks Tammy, you're a star!
~ Foz
