[Discontinued 1.5.1RC1] Md5 Encryption

[[Unknown]]

http://gbaetc.homeip.net/yypack/md5_encryption.mod
http://gbaetc.homeip.net/yypack/md5_encryption.zip
http://gbaetc.homeip.net/yypack

This modification will seemlessly upgrade the password encryption to md5 by waiting until you log in to actually change it in the database.  This may provide better security.

I strongly reccommend you change your cookiename after applying this.  (because people have to login for it to take effect... changing the cookie will force them to.)

Note: As of the latest release, members will NOT be able to modify their profiles without first logging out and then in again.  Because of this, I STRONGLY urge you to change your cookiename to a different alphanumeric value after installing this mod.

-[Unknown]

[Spaceman-Spiff]

remember guys, no weird characters in cookies (including dots -> '.')

[[Unknown]]

Update:  Now you don't get logged out when you change your password.

-[Unknown]

[Wiziwig]

Does it matter if cookies are enabled/disabled or if caching is enabled/disabled?

http://gbaetc.homeip.net/yypack/md5_encryption.mod
http://gbaetc.homeip.net/yypack/md5_encryption.zip
http://gbaetc.homeip.net/yypack

This modification will seemlessly upgrade the encryption to md5 by waiting until you log in to actually change it in the database.  This may provide better security.

I strongly reccommend you change your cookiename after applying this.  (because people have to login for it to take effect... changing the cookie will force them to.)

-[Unknown]

[[Unknown]]

This only encrypts your login password.  Therefore, it is as dependent on cookies as being able to login is.

I'll clarify that in the main description....

-[Unknown]

[Tenkoy]

Okay, I have tested this on my forum, which was just upgraded to RC45, but when I try to change my profile after using this, it says my password is invalid. But yet, I can login.

[Wiziwig]

Same here. password invalid.

[Tenkoy]

I think it is something that we did, because for some reason, my members CAN edit their profiles, yet I can not.

[[Unknown]]

Profile.php:

Code Select Expand


<search for>
      if (!trim($member['oldpasswrd']))
         fatal_error($txt[yse243] . ' ' . $txt[yse244]);
      if ($settings[0] != crypt($member['oldpasswrd'], substr($member['oldpasswrd'], 0, 2)))
         fatal_error($txt[yse242]);
</search for>

<replace>
      if (!trim($member['oldpasswrd']))
         fatal_error($txt[yse243] . ' ' . $txt[yse244]);
      if ($settings[0] != md5($member['oldpasswrd']))
         fatal_error($txt[yse242]);
</replace>


For some reason I didn't copy that change over.  Arg, I hate it when I do that.

Added to the current version.

-[Unknown]

[Tenkoy]

Parse Error on Profile.php on line 495

[[Unknown]]

That should teach me to mess with things at 3:30 am.

Fixed.

Edit: I also forgot Reminder, but that's fixed now too.  (and wouldn't have actually mattered.)

-[Unknown]

[[Unknown]]

To make a clarification, as someone asked about this code...

This code is completely original, and not based off of any other code or forum software.  I wrote it myself, and hold full copyrights to it.

However, I will say that this is an issue that was brought up by another person.  I was asked by Omar to make this, and so I did.

Many thanks to him for the idea.  I think he got it from somewhere... but I just wrote it for him.

I did use a method similar to that of another forum software, but I think that is of little concern; the similarity is small, and I in no way based my code off of that other forum.

-[Unknown]

[Silicon-Surge]

Do the all Users Need to reset their passwords ?

[Spaceman-Spiff]

no they dont
the mod first checks the password with md5, if that doesnt work, it checks with the previous crypt function, then if the password is correct it converts it to md5
so users wont feel anything at all
u can reset your cookies after applying the mod, so all of the users will have to re-login

[bostasp]

As i've just found out, if you apply this to your board and keep the database when you re-install, you have to apply this mod again before any users can login