Problem with new user login

Castrobot · 2008-04-16 19:00:37

Hi to all,

this is my first experience with textpattern and I must say that i’m getting more and more impressed with the cms as I work with it…

I managed to solve a few minor problems to get the “All checks passed” in the Diagnostics section, But…

My problem now is that when I create a new user:
1- when i click “save” it says that an email has been sent to the new user… but it never gets there…

2-when i try to log in with the new user name and password, I just get a “Could not login with that name/password.” although the name and login are listed in the admin>users section.

so I’m really wondering what’s wrong here… Is it important that the user gets the email before using the login/password?

I’m with hosteurope if that can help to see what’s the problem… My only guesses would be that my host doesnt allow to send messages through the database? or there is something wrong with some of my textpattern files? I’m a bit clueless…

thanks in advance for your time

ruud · 2008-04-16 20:26:52

The email is not important.
Try creating a user ‘test’ with a password ‘secret’ (privilege level: freelancer) and then log in with that username/password combination. If that doesn’t work, fire up PHPmyAdmin, browse the txp_users table and post all the fields in the row that contains the user ‘test’ here without revealing your website location.

redbot · 2008-04-16 23:33:23

Castrobot,
ruud is right when he says the email is not important. Anyway you can try this before posting your data here:
1) create a new user and hit save (as you said the email won’t be sent… nevermind)
2) go to phpmyadmin and run the following query (copied from txp faqs):

update txp_users set pass=password(lower(‘pass’)) where name=‘user’;

..where pass is the new password, and user is the login username.

3) try to log in again

ruud · 2008-04-17 08:58:32

That’s nice as an extra test, but I’m really curious to see how TXP stores the password (not PHPmyAdmin) :)

Castrobot · 2008-04-17 10:46:01

First of all, thanks ruud and redbot for your answers…

ruud: nope, it didnt work
redbot: It worked!

But that still leaves me with some questions about the procedures… I guess I should learn a bit more about php and sql, but that could take time…

I’m also wondering where you can find the password that txp creates. In phpMyAdmin, the “pass” just appears as a bunch of random numbers and letters like “23nck5438fksm5” or something like that, so you can’t go in there and know everybody’s password? I guess these letters and numbers have a special signification, but my programing skills are not up to that level…
I understand pretty much what all the rows in the txp_users mean, but what about “nonce”?

And I guess unless I reinstall the program, I’ll never really know what happened with the email sendings…

thanks again

Last edited by Castrobot (2008-04-17 10:47:55)

Gocom · 2008-04-17 11:39:39

Castrobot wrote:

I’m also wondering where you can find the password that txp creates. In phpMyAdmin, the “pass” just appears as a bunch of random numbers and letters like “23nck5438fksm5”

It’s coz security. It’s simply just your password in crypted format. If I remember right, Textpattern uses MD5, so it’s 32-characters long string. Why? That you can’t simply see the password of others – for security. Also it’s good in those situations when someone hacks your database.

If you use TXP’s Automatic password generation, then the password will contain only 6 characters from 023456789bcdfghjkmnpqrstvwxyz. In random order ofcourse. Nonce in other hand is the key to seccesfully authenticate you. It’s like secret key, with out it you can’t get in nor change the original password.

Last edited by Gocom (2008-04-17 11:41:14)

Castrobot · 2008-04-17 12:11:47

Gocom wrote:

It’s coz security. It’s simply just your password in crypted format. If I remember right, Textpattern uses MD5, so it’s 32-characters long string. Why? That you can’t simply see the password of others – for security. Also it’s good in those situations when someone hacks your database.

If you use TXP’s Automatic password generation, then the password will contain only 6 characters from 023456789bcdfghjkmnpqrstvwxyz. In random order ofcourse. Nonce in other hand is the key to seccesfully authenticate you. It’s like secret key, with out it you can’t get in nor change the original password.
—-

Yep, I thought about security reasons… makes sense. Then I’ll keep it secret…

My next question would be: Is there anyway not to use Automatic password generation in txp?
(sorry for beginners questions, I’m only throwing ideas…)

Last edited by Castrobot (2008-04-17 12:12:32)

redbot · 2008-04-17 13:01:53

Castrobot wrote:

My next question would be: Is there anyway not to use Automatic password generation in txp?
(sorry for beginners questions, I’m only throwing ideas…)

1)If you have problems with the password not been sent you have to use the method I suggested before. first create a new user > let txp generate the password > change it with phpmyadmin
2) if your password is sent correcly then first create a new user > let txp generate the password and send it > login with that name and password > go to admin -> users and insert a new password

P.S.
I always use the first method: it’s faster

Last edited by redbot (2008-04-17 13:04:54)

Gocom · 2008-04-17 13:06:33

Then I’ll keep it secret

Better, ya must. If ya don’t, th’n the whole login functions must be chang’d, as it expects that there is a crypted string instead of a human readable.

Is there anyway not to use Automatic password generation in txp?

If ur trying to accomplish some sort of Automatic User Registeration, like mem_self_register allows, then don’t do it, or change it that the user can choose own password right from the start. It would just bring your security down, as then bot will know what is the pass, when it does, then it’s also able to spam. Althought, It could be done with activation links, but it requires quite large plugin.

But if you need password, then redbot did throw the answer earlier. As redbot said:

update txp_users set pass=password(lower('pass')) where name='user';

ruud · 2008-04-17 15:06:17

Gocom:

If you use TXP’s Automatic password generation, then the password will contain only 6 characters

Since a random generated password is typically a lot safer than passwords chosen by users, it’s not by definition less safe. Both self chosen passwords and auto-generated passwords are stored only in hashed formats in the txp_users table.

That SQL command is not a solution, it’s a workaround. TXP should be sending the exact same SQL command (at at least something with the same effect) and if it doesn’t that’s a bug which should be fixed.

Last edited by ruud (2008-04-17 15:09:23)

Gocom · 2008-04-17 16:15:07

ruud wrote:

Since a random generated password is typically a lot safer than passwords chosen by users, it’s not by definition less safe. Both self chosen passwords and auto-generated passwords are stored only in hashed formats in the txp_users table.

Ruud, I didn’t mean that it’s insecure. If we are precise, that only is in wrong spot, and i was just too lazy to edit it. It’s quite safe at it is random, in example it’s very hard to made up with human logic nor random fingers. But it can be solved, in the end. It takes some time, but far less then 24 chars.

With only I mean those letters “only from” 023456789bcdfghjkmnpqrstvwxyz, but I added there a word and two, and didn’t changed the place of the only. Only isn’t critic so said.

And yes that SQL command is not work around, coz Textpattern should not require any sql language skill from the user. But the user handling should be proved, somebit atleast. That password reset on the login page is progress but the user management pages are kinda, hmm, same as years ago.

redbot · 2008-04-17 17:11:23

ruud wrote

That SQL command is not a solution, it’s a workaround.

Maybe I missed something but I agree,
that command is a workaround, and rightly so.
As I said it can be useful in two non-standard situations:
1) you can’t send mail so you can’t know what is the password generated by txp
2) you want to change a password created by txp for another user with less privileges.
I know the latter is less safe, but in some cases you can need it.

Last edited by redbot (2008-04-17 17:15:16)

Textpattern CMS

Textpattern CMS support forum

#1 2008-04-16 19:00:37

Problem with new user login

#2 2008-04-16 20:26:52

Re: Problem with new user login

#3 2008-04-16 23:33:23

Re: Problem with new user login

#4 2008-04-17 08:58:32

Re: Problem with new user login

#5 2008-04-17 10:46:01

Re: Problem with new user login

#6 2008-04-17 11:39:39

Re: Problem with new user login

#7 2008-04-17 12:11:47

Re: Problem with new user login

#8 2008-04-17 13:01:53

Re: Problem with new user login

#9 2008-04-17 13:06:33

Re: Problem with new user login

#10 2008-04-17 15:06:17

Re: Problem with new user login

#11 2008-04-17 16:15:07

Re: Problem with new user login

#12 2008-04-17 17:11:23

Re: Problem with new user login

Board footer