- by hcs at 9:21 PM EDT on August 16, 2016
- Yeah, try a new user, just to see if it's something with your account.
edited 9:22 PM EDT August 16, 2016
- by NistoTest at 10:34 PM EDT on August 16, 2016
- Well, looks like that worked.
- by hcs at 11:02 PM EDT on August 16, 2016
Is your password by any chance longer than 31 characters? I noticed that the login form limits it to 31 chars, as do most of the forms besides the one for submitting a post or thread.
Whether it is or not, maybe you could try changing it, on the chance that it is sticking things up somehow? Again no good reason, I'm calling password_verify pretty much the same way on both paths...
edited 11:06 PM EDT August 16, 2016
- by Nisto at 11:05 PM EDT on August 16, 2016
- Ah, yep, that's probably it then. It's one right above that..
- by hcs at 11:08 PM EDT on August 16, 2016
- Aha! Silly that, nothing should have the 31 limit, I think; I just shouldn't bother limiting password length to the size of the fixed width field since I'm storing the hash in the db now instead of just storing it in plaintext like I did for a decade.
But if I lift the limit everywhere, then anyone else in your situation isn't going to be able to log in anymore (unless they manually leave off the chars). More consistent would be to "enforce" the same limit everywhere; as the new user and password change forms already have that limit, that's the password the forum already expects.
edited 11:16 PM EDT August 16, 2016
- by Nisto at 11:16 PM EDT on August 16, 2016
- It is a good idea to have some limit though, it seems. Strings longer than 72 characters for bcrypt hashes will be truncated, according to the PHP docs.
- by hcs at 11:17 PM EDT on August 16, 2016
- But all I care about it being able to compute the same hash, so it doesn't matter.
edited 11:25 PM EDT August 16, 2016
- by Nisto at 10:45 AM EDT on October 11, 2017
- I bumped into an authentication bug that at least affects posting and editing stuff. This is how it can be reproduced:
- Log in using any browser
- Log in using a different browser, without logging out from the first browser
- Try to make a post with the first browser
I looked at the source code and it seems the authentication fails because the login token is updated in the database while the token in the cookies remains different between the browsers, so only the most recent login works properly. You should probably have a user_tokens table or something. (I can see the concerns with that approach myself, though.)
HCS Forum Index
Go to Page 0 1 2 3 4
Search this thread
Show all threads
Reply to this thread:
Halley's Comet Software
Generated in 0.0029s;