OJS: broken database, users unable to connect

Hi @sebastien,

The above methods will only work for old-style (previous to OJS 2.4.7) hashes, which will be 40 characters long. Is that the format of the hashes you’re trying to match?

Regards,
Alec Smecher
Public Knowledge Project Team

I have tried the following syntax with a user / password I know. I am pretty sure the password has not been changed and I just asked the user to confirm.

Length of password field is 40 chars.

SELECT username, sha1(CONCAT(‘myusername’,‘a_password’)), password FROM users WHERE username=‘myusername’;
or
SELECT username, sha1(CONCAT(username,‘a_password’)), password FROM users WHERE username=‘myusername’;

As I know from state-of-the-art password storage, columns 2 and 3 should be identical, isn’t it? For some reason it is not the case, both with sha1 and md5.

Any idea? I guess people are able to connect with the “forgot password” option because the number of users having a 60-chars password has increased. But I would be glad to find an explanation.

Hi @sebastien,

The length of the password column should be 255 characters, not 40. I thought we confirmed that above.

Regards,
Alec Smecher
Public Knowledge Project Team

Yes I agree. Password hashes have 40 chars and the field is 255.

I understand what happened:

In my OJS installation, I know only 2 passwords:

  1. my own one (simple user level)
  2. an editor’s one.

I have put version 2.4.7.1 online but database update process was not complete. I have tested login with the two passwords above. Then users complained that first login was successful and next ones were not. This happened because field length was still 40 characters and the new password hash with salt has been truncated. Then the login was not possible again nor the “forgot password” procedure. When the correct database structure was set, I have been able to ask for a new password for my own user (password 1). But password 2 was corrupted and I could neither ask for a new password nor use the previous one.

Obviously, tests with SQL queries above could not be successful, since password 2 is a truncated, 40-chars string of a 60-chars hash.

My problem seems to be solved. Thanks for your time.

1 Like

Did you fix this issue or not? i am facing same issue, if you did please guide me how you did that