Password Hashing / Login Problem
-
I’m creating a custom user registration screen for a plugin and everything works fine. The user is created and assigned a random password.
The problem is that the login process (the default WordPress wp-login.php) rejects the password.
Having traced through the code, it appears that the hash of the password stored in the database is different from hash being created when the password entered in the login screen.
This suggests the bug is in how I hash & store the password during user creation but the code looks right and relies on standard WP functions.
Can anyone offer any suggestions.
/** Adds the user to the WordPress system
* It is a cut down version wp-includes/registration.php wp_insert_user
*/
private function createUser( $user_login, $password, $user_email) {
global $wpdb;$user_login = esc_html( trim( $user_login ));
$user_email = esc_html( trim( $user_email ));$update = false;
// Hash the password
$user_pass = wp_hash_password($password);$user_login = sanitize_user($user_login, true);
$user_login = apply_filters(‘pre_user_login’, $user_login);$user_email = apply_filters(‘pre_user_email’, $user_email);
$rich_editing = ‘true’;
$comment_shortcuts = ‘false’;
$admin_color = ‘fresh’;
$admin_color = preg_replace(‘|[^a-z0-9 _.\-@]|i’, ”, $admin_color);
$use_ssl = 0;
$user_registered = gmdate(‘Y-m-d H:i:s’);$data = compact( ‘user_pass’, ‘user_email’, ‘user_registered’ );
$data = stripslashes_deep( $data );$wpdb->insert( $wpdb->users, $data + compact( ‘user_login’ ) );
$user_id = (int) $wpdb->insert_id;update_usermeta( $user_id, ‘rich_editing’, $rich_editing);
update_usermeta( $user_id, ‘comment_shortcuts’, $comment_shortcuts);
update_usermeta( $user_id, ‘admin_color’, $admin_color);
update_usermeta( $user_id, ‘use_ssl’, $use_ssl);$user = new WP_User($user_id);
$user->set_role(TACS_AFFILIATE_ROLE);wp_cache_delete($user_id, ‘users’);
wp_cache_delete($user_login, ‘userlogins’);do_action(‘user_register’, $user_id);
return $user_id;
}Example:
Plain text password passed to the code above:
wWFNJ5WVItDjStored password, hashed by the code above: $P$Bux0eEtTqlP/PYoyVRgNYnudssLFhd/
What wp-login via class-phpass.php -> CheckPassword thinks the hash of the plain text password should be:
$P$Bux0eEtTq78PqC77J2i4LFT.ggSDa81As the two hashes are different, the login process fails but I cannot see why this difference exists.
What am I missing?
- The topic ‘Password Hashing / Login Problem’ is closed to new replies.