Announcement

#1 2018-03-23 17:59:41

brianpb007
Member
2018-01-12
15

Password reset email never sent, database pw update has no effect

Hello,

I have 1 browser tab with an admin login to my website working with a password saved by Firefox. Trying to login as admin in another tab always results in "You are not authorised to access the requested page"

"Forgotten your password?" link takes one to  http://fractasia.com/password.php:
Please enter your username or email address. You will receive a link to create a new password via email.

Tried user id and email address, hit  "change my password" and no email ever arrives (and I have checked spam).

Just to make sure I had the right email and user ID, I checked mysql from dreamhost:

ssh ME@fractasia.com
mysql -h zahradka.mandoline.dreamhost.com -u fractasiacom1 -pYYY  fractasia_com_1

mysql> update piwigo_users set password=PASSWORD("__ZZZ__') where username='guest';                                           
Query OK, 1 row affected (0.01 sec)                                                                                           
Rows matched: 1  Changed: 1  Warnings: 0     

mysql> select * from piwigo_users    ;                                           
+----+------------+-------------------------------------------+------------------------------+                                 
| id | username   | password                                  | mail_address                 |                                 
+----+------------+-------------------------------------------+------------------------------+                                 
|  1 | brianpb007 | *xxx |  __my_working_email_@gmail.com |                                 
|  2 | guest            | *xxx | NULL                         |        [[ "*xxx" matches both users, but is NOT real password ]]

I changed the password for user=GUEST to my known password and it hashes out to the same thing verifying that my password is correct.

Now, trying to reset a password on the Piwigo php web page with either my verified password or userid gives  "Invalid username or email"

If I close this browser, I will not be able to login again.  I can't change the password as ADMIN as the database password does not work.

What happened? 
Dreamhost says:
It may be related to the browser or an issue with the configuration.
Troubleshooting it for you is outside the scope of our support. I'm
sorry about that. I recommend to check the forum for further assistance
here: http://piwigo.org/forum/ . Thanks again,  Tony

This all started when dreamhost overwrote my Piwigo site with a default, generic new version of  wordpress.  Their restore restored the password to  one a few versions old.  The password has been weird ever since.

What can I do while I still have 1 admin login to fix this password snafu?

Thx,

    Brian

Offline

 

#2 2018-03-23 22:43:46

flop25
Piwigo Team
2006-07-06
7037

Re: Password reset email never sent, database pw update has no effect

Hello
i don't understand at all what you did and mostly why you did it

1- check your server logs about the email (postfix etc)
2- in the DB, change the password to the md5 version of it, then login and Piwigo convert it to the hash+salt


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#3 2018-03-24 19:24:36

brianpb007
Member
2018-01-12
15

Re: Password reset email never sent, database pw update has no effect

>> i don't understand at all what you did
Asked for password reset.  Hacked password via db when email never came. What is method C?

>>  and mostly why you did it
Reason obvious, unable to login to 2nd piwigo admin session with the same uid and password saved by (Weird!). 

Rebooted my workstation, auto-login to Piwigo/admin  worked fine. Tried second window, same workstation, same browser, same boot -- you are not authorized << How is this even  possible?   If I copied the URL to another tab, it worked there. Would not survive a reboot (kernel update) or work on another machine.


The email in piwigo_users is valid but never got any email.  Since it is a google address, it is unlikely that the error is there.

A robust design would
- check that postfix is both installed and running  ||  Error("Tell bonehead sys admin to install/start postfix")
- check for a bounce
- implement a read receipt to verify that it is not lost in the Luminiferous Aether
- copy the sysadmin on a known good email so a person can see if dozens pile up from the same user
- have some type of feedback and error checking which differentiates  a CONTROL SYSTEM from a HOPE SYSTEM

It is not the 99% of cars which don't explode which prove high quality, it is the 1% which detonate upon rear impact which illustrate the design flaw.

The MD5() hashing worked.

Thanks!

Offline

 

#4 2018-03-24 19:26:59

flop25
Piwigo Team
2006-07-06
7037

Re: Password reset email never sent, database pw update has no effect

that's server administration and NOT website management. Piwigo and any cms has cannot technically do what you are asking


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

Board footer

Powered by FluxBB

github twitter newsletter Donate Piwigo.org © 2002-2024 · Contact