Upgrading 2.3.6.2 MSSQL to latest version password hashing

Post here for help with installing or upgrading mojoPortal pre-compiled release packages. When posting in this forum, please provide all relevant details. You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

Post here for help with installation of mojoPortal pre-compiled release packages

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.

You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

This thread is closed to new posts. You must sign in to post in the forums.
5/26/2013 9:36:21 AM
Gravatar
Total Posts 23

Upgrading 2.3.6.2 MSSQL to latest version password hashing

Hi there,

Im new to mojoportal and im helping a website out to maintain and develop further. First thing i would like to do is to update the website to the latest version. One of the things that has been changed in the new version is the password hashing. This might be a big issue for us. The reason for that is that user dont only login via the website which means if we upgrade and they log in outside the website the password check will probably fail because our app uses different hashing.

What I would like to know is if running a script to rehash all the passwords in the database and then upgrade our hashing in our app would be a good idea when upgrading to the latest version. Any help with that is appreciated :-)

Thanks for any answer!

5/26/2013 10:13:26 AM
Gravatar
Total Posts 18439

Re: Upgrading 2.3.6.2 MSSQL to latest version password hashing

How do users login from outside the web?

If they login via our mojoMembershipProvider (ie via /Services/Authentication.svc or via the web ui) the password format will be updated upon login to use the stronger hash with salt. If login fails then it tries again using the old hash and if that succeeds the data is updated to the new stronger hash.

I cannot think of any solution except to make your own custom code use similar logic if it is external to mojoPortal. Since hashed passwords are not decryptable we don't know what they are and therefore no method is available to batch update them via sql or any other script. The only way we can update it is because the user entered the correct password that matched the old hash so we take that same input and apply the new hash with  random salt and we then store that hash and the new salt in the database.

5/27/2013 10:13:05 AM
Gravatar
Total Posts 23

Re: Upgrading 2.3.6.2 MSSQL to latest version password hashing

Hi Joe,

Thanks for the fast reply. It seems we can work around the hashing problem by editing our app. Basically we will do the same as the website, check if the password matches to old way if it does rehash it if it doesnt check if it matches with the new hash if not login invalid.

I do however have another question. I just noticed someone registered a assembly for a custom .dll in some of the master pages so that we can show some additional information on the profileview.aspx page(which is also edited). I assume that if we upgrade we will lose our customization to the master pages because we will override the files. Will it be enough to add these added lines in the new copied files?

5/27/2013 10:28:26 AM
Gravatar
Total Posts 18439

Re: Upgrading 2.3.6.2 MSSQL to latest version password hashing

skins used by the site are not touched at all during upgrades, only skins in the catalog under /Data/skins are updated not ones under /Data/Sites/[SiteID]/skins

As long as you never modified mojoPortal code there should not be any problems that cannot be resolved. You will definitely want to review important skin changes and backup both the database and the site files before upgrade so that if something went wrong you could restore it.

5/29/2013 6:28:12 AM
Gravatar
Total Posts 23

Re: Upgrading 2.3.6.2 MSSQL to latest version password hashing

Yea, that is the point it seems the mojoportal code has been modified. For example the $root/ProfileView.aspx and $root/App_MasterPages/layout.master.aspx has been modified to register the custom .dll.

There are no major changes so im guessing editing these files after copying the new deploy files will be enough. We'll see :-) 

5/29/2013 6:34:51 AM
Gravatar
Total Posts 18439

Re: Upgrading 2.3.6.2 MSSQL to latest version password hashing

you could and should register the tag declaration in the layout.master file of your skin folder not in /App_MasterPages/layout.master

5/29/2013 6:44:59 AM
Gravatar
Total Posts 23

Re: Upgrading 2.3.6.2 MSSQL to latest version password hashing

Awesome, I'll change that when deploying the new version.

6/4/2013 9:51:36 AM
Gravatar
Total Posts 23

Re: Upgrading 2.3.6.2 MSSQL to latest version password hashing

Hi Joe,

We updated the website to the newest version and it went pretty smooth. We are encountering one problem. Users are complaining that they cannot edit their forum posts from before the upgrade but can edit forum posts from after upgrade. I searched the forums but cannot find anything related except for some skin changes but I dont think thats the case here.

Any idea what might have happend?

6/4/2013 10:53:17 AM
Gravatar
Total Posts 18439

Re: Upgrading 2.3.6.2 MSSQL to latest version password hashing

look in the forum settings, there is a setting for "Allow Users To Edit Their Posts For Up To This Many Minutes", it defaults to 60 minutes. If you really want people to be able to edit their posts forever you can change it to -1. Myself I don't like it when people edit older posts or change the question after it has been answered, I think one hour is more than enough time to allow. There is also a setting to close threads after a certain number of days so that no new posts can be made on the thread, by default it is 365 days or 1 year, again if you want no limit you can set it to -1.

Of course users with edit rights on the page or forum instance (ie moderators) can edit any post at any time.

Hope that helps,

Joe

6/5/2013 2:01:04 PM
Gravatar
Total Posts 23

Re: Upgrading 2.3.6.2 MSSQL to latest version password hashing

Hi Joe, 

Thanks again for the fast reply, it seems that changing the setting isnt really working yet. Do i need to republish or somehow push this new setting?

I even created a new user and after making a new topic im able to edit the thread but when i reply to a existing thread i cant edit my reply 

6/5/2013 2:22:02 PM
Gravatar
Total Posts 18439

Re: Upgrading 2.3.6.2 MSSQL to latest version password hashing

Can you replicate the problem on our demo site?

6/6/2013 4:04:03 AM
Gravatar
Total Posts 23

Re: Upgrading 2.3.6.2 MSSQL to latest version password hashing

With the admin account i changed the setting to -1. Next I created a test user and submitted a new thread and reply, for both im not able to edit them but maybe im missing a setting somewhere?

6/13/2013 3:02:03 AM
Gravatar
Total Posts 23

Re: Upgrading 2.3.6.2 MSSQL to latest version password hashing

Hi Joe,

Do you have any idea what may cause this problem? I reproduced the problem by changing the setting in the demo portal to -1 and wasnt able to edit any of my own posts.

6/13/2013 9:25:59 AM
Gravatar
Total Posts 23

Re: Upgrading 2.3.6.2 MSSQL to latest version password hashing

Extra info:

When changing the -1 value to 9999999999999999999999​ i'm able to edit my newly created post but not any post created in the past.

6/13/2013 12:13:37 PM
Gravatar
Total Posts 18439

Re: Upgrading 2.3.6.2 MSSQL to latest version password hashing

Hi,

This problem with the forum is now fixed in our source code repository so it will work correctly in the next release. I confirm the -1 was not working as advertised. Next time I deploy an update to the demo site I'll post here again so you can check it.

Thanks,

Joe

You must sign in to post in the forums. This thread is closed to new posts.