Password Hashing / Login Problem

  • tregenza

    (@tregenza)


    14 years, 7 months ago

    I’m creating a custom user registration screen for a plugin and everything works fine. The user is created and assigned a random password.

    The problem is that the login process (the default WordPress wp-login.php) rejects the password.

    Having traced through the code, it appears that the hash of the password stored in the database is different from hash being created when the password entered in the login screen.

    This suggests the bug is in how I hash & store the password during user creation but the code looks right and relies on standard WP functions.

    Can anyone offer any suggestions.

    /** Adds the user to the WordPress system
    * It is a cut down version wp-includes/registration.php wp_insert_user
    */
    private function createUser( $user_login, $password, $user_email) {
    global $wpdb;

    $user_login = esc_html( trim( $user_login ));
    $user_email = esc_html( trim( $user_email ));

    $update = false;

    // Hash the password
    $user_pass = wp_hash_password($password);

    $user_login = sanitize_user($user_login, true);
    $user_login = apply_filters(‘pre_user_login’, $user_login);

    $user_email = apply_filters(‘pre_user_email’, $user_email);

    $rich_editing = ‘true’;
    $comment_shortcuts = ‘false’;
    $admin_color = ‘fresh’;
    $admin_color = preg_replace(‘|[^a-z0-9 _.\-@]|i’, ”, $admin_color);
    $use_ssl = 0;
    $user_registered = gmdate(‘Y-m-d H:i:s’);

    $data = compact( ‘user_pass’, ‘user_email’, ‘user_registered’ );
    $data = stripslashes_deep( $data );

    $wpdb->insert( $wpdb->users, $data + compact( ‘user_login’ ) );
    $user_id = (int) $wpdb->insert_id;

    update_usermeta( $user_id, ‘rich_editing’, $rich_editing);
    update_usermeta( $user_id, ‘comment_shortcuts’, $comment_shortcuts);
    update_usermeta( $user_id, ‘admin_color’, $admin_color);
    update_usermeta( $user_id, ‘use_ssl’, $use_ssl);

    $user = new WP_User($user_id);
    $user->set_role(TACS_AFFILIATE_ROLE);

    wp_cache_delete($user_id, ‘users’);
    wp_cache_delete($user_login, ‘userlogins’);

    do_action(‘user_register’, $user_id);

    return $user_id;
    }

    Example:

    Plain text password passed to the code above:
    wWFNJ5WVItDj

    Stored password, hashed by the code above: $P$Bux0eEtTqlP/PYoyVRgNYnudssLFhd/

    What wp-login via class-phpass.php -> CheckPassword thinks the hash of the plain text password should be:
    $P$Bux0eEtTq78PqC77J2i4LFT.ggSDa81

    As the two hashes are different, the login process fails but I cannot see why this difference exists.

    What am I missing?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Samuel B

    (@samboll)

    14 years, 7 months ago

    moved to advanced forums

    Thread Starter tregenza

    (@tregenza)

    14 years, 7 months ago

    Quick update.

    I doubled checked my code on a completely clean install of WordPress 2.8.4 – the problem still exists.

    So I tried moving back a level of abstraction and instead of having my own version of wp-includes/registration.php wp_insert_user, I added

    require_once( ABSPATH . WPINC . '/registration.php');

    and pretty much copied includes/registration.php wp_create_user, the function that normally calls wp_insert_user. This produced exactly the same results.

    Trying to step back another level, I added

    require_once( ABSPATH . '/wp-login.php');

    and tried to call wp-login register_new_user.

    Now I get Call to undefined function wp_authenticate() in /usr/share/wordpressClean/wordpress/wp-includes/user.php on line 51

    ‘wp_authenticate’ is in pluggable.php and is only loaded after the plugins are loaded (so the plugins can define their own functions).

    This pretty much makes it impossible for a plugin to use the wp-login.php functions. Not a great design really.

    This still leaves me with my fundamental bug, which is when I hash the password, I get a different result than ‘wp-login.php’. I suspect that this has something to do with salt values but crypto is not my strong suite. My best guess is that ‘Wp-login.php’ loads or initialises something and my code doesn’t.

    Thread Starter tregenza

    (@tregenza)

    14 years, 7 months ago

    Headdesk headdesk headdesk

    Problem solved- a typo in my own code.

    Damn PHP for not failing when undeclared variables are used.

    Damn my eyes for not spotting the glaring typo

    Damn my own stupidity for not checking the obvious thing before diving into the depths of WordPress.

    Oh well. That goes on the timesheet as two days studying the WordPress login system.

    s_ha_dum

    (@apljdi)

    14 years, 7 months ago

    Well, guess you solved it but I though I’d add that I’ve got a script that creates a user from a kind of a staff management panel and I just require_once registration.php like you did and then use wp_update_user(), feeding it an array of what user data I have.

    mediabros

    (@mediabros)

    13 years, 7 months ago

    I’ve got the exact same problem, don’t see a php mistake in my code really, do you?

    include_once($_SERVER['DOCUMENT_ROOT'].'/wp-config.php');
include_once($_SERVER['DOCUMENT_ROOT'].'/wp-load.php');
include_once($_SERVER['DOCUMENT_ROOT'].'/wp-includes/wp-db.php');

global $userdata;
global $wpdb; 

//get the posted values
$user_name = htmlspecialchars($_POST['username'],ENT_QUOTES);
$pass_word = wp_hash_password($_POST['password']);
$pass = $pass_word;
$userinfo = get_userdatabylogin($user_name);

if ( $pass == $userinfo->user_pass){

	echo "yes";

} else echo "no<br />:";

//just to test if it received the data

echo $pass;
echo '<br />:';
echo $userinfo->user_pass;
echo '<br />:';
echo $userinfo->ID;
echo '<br />:';
echo $userinfo->user_login;

    When i reload the page, it creates a different hashed pass for $pass!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Password Hashing / Login Problem’ is closed to new replies.