Cannot change passwords after site migration

By pgplast - December 4, 2022

I recently moved the data from a long-existing site to a new, re-designed site. The site uses WebsiteMembership plugin to manage membership accounts. Happily, most things are working.

However, I have found that no users are able to update their passwords using the prescribed mechanism, (see below).

Whenever one tries to do so, the system returns, "Current password isn't correct!"

The accounts table was recreated on the new server and users are able to log in with their existing passwords. However, no one can edit a password since the existing passwords are not recognized as the "oldPassword" by the system

Can anyone help??



### Change Password
if (@$_POST['changePassword']) {
$encryptPasswords = @$SETTINGS['advanced']['encryptPasswords'];

// error checking
$_REQUEST['oldPassword'] = preg_replace("/^\s+|\s+$/s", '', @$_REQUEST['oldPassword']); // v1.10 remove leading and trailing whitespace
$oldPasswordHash = $encryptPasswords ? getPasswordDigest(@$_REQUEST['oldPassword']) : @$_REQUEST['oldPassword'];
if (!@$_REQUEST['oldPassword']) { $errorsAndAlerts .= "Please enter your current password<br/>\n"; }
elseif ($oldPasswordHash != $CURRENT_USER['password']) { $errorsAndAlerts .= "Current password isn't correct!<br/>\n"; }
$newPasswordErrors = getNewPasswordErrors(@$_REQUEST['newPassword1'], @$_REQUEST['newPassword2'], $CURRENT_USER['username']); // v2.52
$errorsAndAlerts .= nl2br(htmlencode($newPasswordErrors));
// pmg: let sput the unencrypted password in as well
$non_encrypted_password = @$_REQUEST['newPassword2'];
// change password
if (!$errorsAndAlerts) {
$passwordHash = $encryptPasswords ? getPasswordDigest($_REQUEST['newPassword2']) : $_REQUEST['newPassword2'];
mysql_update( accountsTable(), $CURRENT_USER['num'], null, array('password' => $passwordHash)); // update password
/// now the non-encrypted one
mysql_update( accountsTable(), $CURRENT_USER['num'], null, array('non_encrypted_password' => $non_encrypted_password)); // update non-encrypted password
websiteLogin_setLoginTo( $CURRENT_USER['username'], $_REQUEST['newPassword2'] ); // update current login session
unset($_REQUEST['oldPassword'], $_REQUEST['newPassword1'], $_REQUEST['newPassword2']); // clear form password fields
$errorsAndAlerts = "Thanks, we've updated your password!<br/>\n";
} ### END: Change Password

By Dave - December 7, 2022

Hi pgplast, 

I emailed as well but for anyone else with this issue in future here's the fix: 

I replaced this line:
$encryptPasswords = @$SETTINGS['advanced']['encryptPasswords'];

With this:
//$encryptPasswords = @$SETTINGS['advanced']['encryptPasswords'];
$encryptPasswords = true;

It was using an old version of the edit profile page code from when CMSB had the option to disable password encryption. It's always enabled now so we no longer check for it.

Hope that helps! Let me know any other questions or issues.

Dave Edis - Senior Developer

Thanks for this, Dave. (Respomnded earlier by email)