On or around line 247 of functions_member_API.asp, in the section with the
comment: 'If the password doest match that on record we need to create a new
password to save to db
the line:
strPassword = HashEncode(*strPassword *& strSalt)
should be:
strPassword = HashEncode(*LCase(Trim(Session("PASSWORD")))* & strSalt)
The incorrect line is Hashing an already hashed password.
However, I also found out, if the password being passed to this call is already hashed by the calling system, it will never stay in sync. This isn't really a problem expect for an Admin. If an admin tries to log into the admin area, their entered password will never match what is stored in the WW DB. I'm not sure why you bother having the admin log in a 2nd time. They've already logged into the system once. Eliminating the 2nd login will eliminate this issue.
Topic Options
Post Options
Thanks(0)
