Welcome to Vortx Community Forum, where you can ask questions and receive answers from the staff at Vortx and other members of the community.

If you had a user account on our previous forums website, you will need to register a new account here.

Learn more about...

AspDotNetStorefront
DotFeed

Sometime password doesn't work although the user writes the right password - problem with line feed and cariage return

Hi,

We had trouble with a few of our customers complaining they couldn't login into the site and they did not change the password by themselves. At first we thought it was just a fluke because after they requested the reset password and changed that it worked again. 

After a very very long and extensive search for the cause and after implementing additional logging mechanisms (logging changes to every record on the Customer table) for the cause of all this we figured out a very strange thing. Although the password we set was stored in the database, in Core.Customer.cs method CheckLogin the user actually had a different hash then it should be (line if (m_Password == pwd.SaltedPassword)) using the same salt key.

When comparing the hash that was stored in the DB and the one we got in m_Password, there was a slight difference (hashes are not escaped below for clearer reading):

pwd.SaltedPassword: ??P???%,?????%A    Rp?????Rjd?w??He?w??H?7gT

m_Password:        ?\\\n??P???%,?????%A    Rp?????Rjd?w??He?w??H?7gT

Notice the additional \\\n in the begining. Seems that the stored password in the DB with a newline wasn't read correctly from the DB next time.
If you need a hash salt combo with the cleartext password, we can send them to a private mail, so you can test it yourself.

If you have an idea where would be the best place to fix this, would be greatly appreciated. I was thinking of generating new hashes/salts until no C# special characters would be hit or at least the line feed and cariage return are not present in the hash.

Thank you for your help and ideas!
Markus

 

asked Jun 8, 2015 in MultiStore by Markus (195 points)
Have you opened a bug report with Vortx on this? If you're using their stock code, this seems like something they ought to patch.
Yes, sent it the same day. No answer from them.

1 Answer

0 votes
 
Best answer

After a monster debug session we found out that the password is not correctly updated through WSI because in the method hlpCustomerUpdate an UPDATE sql is run which has a ToString() on it which corrupts the password and therefore stores a different value into the DB. In our case that was a Line-Feed character (in DB that is a char(10)).We call WSI alot so this problem could occur more often then with a simple storefront site.

 

The guilty code :)

            // was there anything to update:
            if (Separator != String.Empty)
            {
                RunCommand(sql.ToString());
            }

 

We changed the code for a new password from:

                String newpwd = p.SaltedPassword;

                sql.Append(Separator);
                sql.Append("SaltKey=");
                sql.Append(p.Salt.ToString());
                Separator = ",";

                sql.Append(Separator);
                sql.Append("Password=");
                sql.Append(DB.SQuote(newpwd));
                Separator = ","

to this:

c.UpdateCustomer(
                    /*CustomerLevelID*/ null,
                    /*EMail*/ null,
                    /*SaltedAndHashedPassword*/ p.SaltedPassword,
                    /*SaltKey*/ p.Salt,
                    /*DateOfBirth*/ null,
                    /*Gender*/ null,
                    /*FirstName*/ null,
                    /*LastName*/ null,
                    /*Notes*/ null,
                    /*SkinID*/ null,
                    /*Phone*/ null,
                    /*AffiliateID*/ null,
                    /*Referrer*/ null,
                    /*CouponCode*/ null,
                    /*OkToEmail*/ null,
                    /*IsAdmin*/ null,
                    /*BillingEqualsShipping*/ null,
                    /*LastIPAddress*/ null,
                    /*OrderNotes*/ null,
                    /*SubscriptionExpiresOn*/ null,
                    /*RTShipRequest*/ null,
                    /*RTShipResponse*/ null,
                    /*OrderOptions*/ null,
                    /*LocaleSetting*/ null,
                    /*MicroPayBalance*/ null,
                    /*RecurringShippingMethodID*/ null,
                    /*RecurringShippingMethod*/ null,
                    /*BillingAddressID*/ null,
                    /*ShippingAddressID*/ null,
                    /*GiftRegistryGUID*/ null,
                    /*GiftRegistryIsAnonymous*/ null,
                    /*GiftRegistryAllowSearchByOthers*/ null,
                    /*GiftRegistryNickName*/ null,
                    /*GiftRegistryHideShippingAddresses*/ null,
                    /*CODCompanyCheckAllowed*/ null,
                    /*CODNet30Allowed*/ null,
                    /*ExtensionData*/ null,
                    /*FinalizationData*/ null,
                    /*Deleted*/ null,
                    /*Over13Checked*/ null,
                    /*CurrencySetting*/ null,
                    /*VATSetting*/ null,
                    /*VATRegistrationID*/ null,
                    /*StoreCCInDB*/ null,
                    /*IsRegistered*/ null,
                    /*LockedUntil*/ null,
                    /*AdminCanViewCC*/ null,
                    /*BadLogin*/ -1,
                    /*Active*/ null,
                    /*PwdChangeRequired*/ 0,
                    /*RegisterDate*/ null
                );

 

answered Nov 4, 2015 by Markus (195 points)
...