Post by fume711 » Wed Dec 05, 2012 4:24 am

Hi,

We're using OpenCart v1.5.4.1 and am running into a problem with the opencart store, NOT the admin side.

We have customers who forgot their password and click on the "forgotten password" link. They type in their email and get a confirmation that their password is reset. They then go into their email to retrieve the new password.

Upon entering that new automatically generated password into the store log in, they still get the error "Warning: No match for E-Mail Address and/or Password."

When I tested it and reset my own password on the store front, and used the automatically generated password, it does NOT work, but entering my original password does.

It seems the forgotten password link generates a new password, but does not overwrite the old password in the database. Is there a fix or other people experiencing this in their cart? I've done a search on the forums and only found problems with the "admin dashboard" side, not the store side.

Thanks in advance!

New member

Posts

Joined
Tue Oct 06, 2009 2:15 pm

Post by lmw1 » Wed Dec 05, 2012 7:45 am

I'm experiencing the very same thing.

Any help on this issue?

Respectfully,
Leonard Michael

New member

Posts

Joined
Mon Jun 04, 2012 1:44 pm

Post by fume711 » Wed Dec 05, 2012 1:56 pm

our cart system is using SSL, is yours too?
just to see if there is a trend or bug.

New member

Posts

Joined
Tue Oct 06, 2009 2:15 pm

Post by fume711 » Wed Dec 05, 2012 2:29 pm

just did a test...

we have two carts...one without ssl -> forgotten password link works in resetting password
one with SSL does not work

I then turned off SSL to test the forgotten link and it still doesn't work. It sends the email, but the new password doesn't access the account. The old password still works.

New member

Posts

Joined
Tue Oct 06, 2009 2:15 pm

Post by lmw1 » Wed Dec 05, 2012 2:38 pm

We are using SSL.

Can anyone help us with this? It is causing our phone to ring more than we'd like (and they're not potential clients either - lol).

Anyone?

Respectfully,
Leonard Michael

New member

Posts

Joined
Mon Jun 04, 2012 1:44 pm

Post by fume711 » Wed Dec 12, 2012 3:31 pm

anyone else experience this problem? or have a solution? SSL related?

New member

Posts

Joined
Tue Oct 06, 2009 2:15 pm

Post by rph » Wed Dec 12, 2012 3:45 pm

Try this - in /catalog/model/account/customer.php find:

Code: Select all

public function editPassword($email, $password) {
    $this->db->query("UPDATE " . DB_PREFIX . "customer SET salt = '" . $this->db->escape($salt = substr(md5(uniqid(rand(), true)), 0, 9)) . "', password = '" . $this->db->escape(sha1($salt . sha1($salt . sha1($password)))) . "' WHERE email = '" . $this->db->escape($email) . "'");
}
And replace it with:

Code: Select all

public function editPassword($email, $password) {
    $this->db->query("UPDATE " . DB_PREFIX . "customer SET salt = '" . $this->db->escape($salt = substr(md5(uniqid(rand(), true)), 0, 9)) . "', password = '" . $this->db->escape(sha1($salt . sha1($salt . sha1($password)))) . "' WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "'");
}

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by fume711 » Tue Dec 18, 2012 4:20 pm

Thanks rph!

This seems to have solved the problem. It appears that if the customer has upper and lower case combinations entered in the "forgot password" email address, it won't save the new password in the database, even though a "success" message shows up.

It seems your fix makes everything lowercase before searching in the database...which seems to have done the trick.

Thanks!

P.S. Should this be reported as a bug and added as a fix?

New member

Posts

Joined
Tue Oct 06, 2009 2:15 pm

Post by rph » Wed Dec 19, 2012 1:01 am

I just submitted it.

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by fume711 » Wed Dec 19, 2012 6:16 am

rph wrote:I just submitted it.
Thanks!

New member

Posts

Joined
Tue Oct 06, 2009 2:15 pm

Post by Sidecutter » Sun Jul 21, 2013 10:19 pm

Thanks a ton, rph! I was having this same issue with 1.4.9.6, (though I didn't know the cause - after testing what was said here, sure enough, it was uppercase characters mixed into e-mail addresses) and was able to look at the two changes you made to the 1.5.x code and make the same changes to the code for 1.1.4.9.6, and it works perfectly now! For anyone using 1.4.9.6, or likely most 1.4.9 and possibly some earlier versions, here's the code for your version of this fix:

In /catalog/model/account/customer.php find:

Code: Select all

	public function editPassword($email, $password) {
      	$this->db->query("UPDATE " . DB_PREFIX . "customer SET password = '" . $this->db->escape(md5($password)) . "' WHERE email = '" . $this->db->escape($email) . "'");
	}
And replace it with:

Code: Select all

	public function editPassword($email, $password) {
      	$this->db->query("UPDATE " . DB_PREFIX . "customer SET password = '" . $this->db->escape(md5($password)) . "' WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "'");
	}

Active Member

Posts

Joined
Tue Jan 18, 2011 6:58 am
Who is online

Users browsing this forum: No registered users and 87 guests