I downloaded and installed WWF 9.74
I registered a user testuser with a password, 'TestPassword' Of course we know the system will store 'testpassword', but the user does not know this. There is nothing telling them this.
I downloaded and installed WWF 10 - Upgraded the WWF 9.74 to 10
I tried to login with the same user 'testuser' and password, 'TestPassword' and it fails since version 9.74 lowercased my password without letting the user know.
So I have about 3500 registered users in my 7.x forum. They have no idea that the system lower cased their passwords. So, when I upgrade to 10.x they would not be able to login because their passwords are lower case and they don't know this.
Workarounds
Send a mass email my registered users notifying them that their passwords are really lower case so they can login and then change to mixed case if they wish. Don't know how effective this would be.
Rollback the case sensitivity in the login form. Tried this but if a new user registers then the password is stored in mixed case and the login form will lower case the password and new user will not be able to login. If you can tell me where I need to make the LCase() to handle passwords changes and new user registrations, I can do that. This might be a temporary workaround until a more permanent fix could be implemented. The places I have seen are:
login_user.asp line 110 - strPassword = Trim(Mid(Request.Form("password"), 1, 20))
This will lower case the password they type when they login
Change to:
strPassword = LCase(Trim(Mid(Request.Form("password"), 1, 20)))
register.asp line 333 - strPassword = Trim(Mid(Request.Form("password1"), 1, 20))
This will lower case the password they type in when they register or update their password.
Change to:
strPassword = LCase(Trim(Mid(Request.Form("password1"), 1, 20)))
What do you think about those changes?
EDIT:
Found those lines of code here as well:
admin.asp line 89
admin_register.asp line 145
Edited by rjcarter - 30 June 2011 at 6:41pm
Topic Options
Post Options
Thanks(0)
