cachedependancy files not being created

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

Please do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This forum is for discussing mojoPortal development

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

You can monitor commits to the repository from this page. We also recommend developers to subscribe to email notifications in the developer forum as occasionally important things are announced.

Before posting questions here you might want to review the developer documentation.

Do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.
This thread is closed to new posts. You must sign in to post in the forums.
3/28/2012 3:05:05 PM
Gravatar
Total Posts 130

Re: cachedependancy files not being created

... I ran the application in debug mode again, this time pointing to a database that hasn't been upgraded (so it's 2.3.7.6) and am throwing an exception at log in: IndexOutofRangeException was unhandled by user code at line 926 in SiteUser.cs:

 rolesChanged = Convert.ToBoolean(reader["RolesChanged"]);

I don't know if that is helpful or not.

~ Beth

3/28/2012 3:32:11 PM
Gravatar
Total Posts 18439

Re: cachedependancy files not being created

Hi Beth,

There has not been a release of 2.3.8.3. A release is when I compile a build and make anew package of pre-compiled files for people to download. The source code repository is always the latest code, the version number corresponds only to changes int the database schema, ie new upgrade scripts are added with incremented versions every time I need to make any changes in the database. So currently in the repository the database is up to script 2.3.8.3 but other changes will be made before the next official release is packaged, amd possibly I will even need to make additioanl changes in the database and increment the upgrade script again before the next official release. But if you are using the latest code you should see the version as 2.3.8.3 since that is the most recent upgrade script in the repository.

Of course there will be errors expected if you run the latest code without running the upgrade scripts. New fields like "RolesChanged" get added by upgrade scripts and the newest code expects the new field, so the code and the database have to be in sync and that is what the setup page does it runs the scripts to upgrade the database to get it in sync with the latest code.

I'm not really sure what is going on, hashed password don't depend on the machine key so that isn't a factor.

My password is correct but the hash doesn't exist in the db at all.

What do you mean by that? Your password is correct where? in the database?

If using hashed passwords you will not see the password in the database you will only see the hash. The password field in the database is pwd not Password in case that is throwing you off. The Password field is a legacy field (no longer used) it was too small for the stronger hashing and stronger encryption so we migrated quite a while back from the Password field to a larger field Pwd. That change of fields was many versions ago, but we finally took advantage of the larger field in 2.3.8.1 when we implemented the stronger hashing.

The way it works with hashed password is the password you enter on the login page is concatenated with the value from the Password salt field then hashed and then the hash is compared to the hash in the pwd field, if it matches the password is correct.

We changed from MD5 hash with no salt to SHA512 hash with salt. Salt is just a random string concatenated with the password before hashing, it is stored in the PasswordSalt field. Its purpose is so that people who happen to use the same password don't have the same hash.

So when you try to login it is first trying to use the sha512 hash but if that fails it falls back to trying the old md5 hash (with no salt) so that it won't break any logins during upgrade. So I don't see how the change to stronger hashing could posisbly cause a login failure. Something else is going on here but I'm not really sure without being able to debug it myself.

If you want to email me a database backup and tell me a user name and password that should work I could try to debug it for you tomorrow, but I understand if you don't want to do that for data security reasons.

Best,

Joe

3/28/2012 3:49:31 PM
Gravatar
Total Posts 130

Re: cachedependancy files not being created

When using break points in Visual Studio when I get to the HashedSha512PasswordIsValid method I can see my text password in the Visual Studio Console, and know it to be the correct password.  What I see in the db is hashed. I'm looking at the Pwd column and ran a query searching for the hash that has been interpreted by the application, and that hash is not present in the db at all. So it appears that the application is interpreting the text password incorrectly.

I pulled the latest version from your repository and upgraded a test db to 2.3.8.3 and am still having the same issue.

Tomorrow I could export the db and remove/change credentials so you can have something that is pre-upgraded, working, and not a security issue.

Thanks,

~ Beth

3/28/2012 3:55:26 PM
Gravatar
Total Posts 130

Re: cachedependancy files not being created

ooooh I just realized that the hash IS being read correctly. The sha512Hash is what I was originally looking at, and it is a value I do not recognize. In the Visual Studio "Autos" window (while debugging) the siteUser.Password value is the correct hash. At line 1681 of the mojoMembershipProvider.cs  if (sha512Hash == siteUser.Password) {  return true; } it is returning false ... so isValid is returning a false value. Which is in turn returning a false value to result.

3/28/2012 4:06:24 PM
Gravatar
Total Posts 18439

Re: cachedependancy files not being created

Hi Beth,

At line 1681 of the mojoMembershipProvider.cs if (sha512Hash == siteUser.Password) { return true; } it is returning false

That would be expected since the current rows have an md5 hash, but when it returns to line 1516 as false it should next check using md5 at line 1518

Best,

Joe

3/29/2012 3:35:16 PM
Gravatar
Total Posts 130

Re: cachedependancy files not being created

Hello,

The issue was that "CheckMD5PasswordHashAsFallback" was set to false in the user.config when it should have been set to true.  After making that change the app was able to update my hash to salt and I can now log in (yay). Now to begin testing ....

~ Beth

You must sign in to post in the forums. This thread is closed to new posts.