So. As I also have thought (and even has written on a pair of minutes) - The problem consists that you have incorrectly updated Xoops.
You should use 2.0RC3 script, which number 2 differs step of installation.

I hope, that at you all will turn out. And if still something will get out - write.

Please Help! I installed this hack and now I can't login at all!

Info:
Xoops version 2.03
PHP version 4.3.2
MySQL version 1.3.27 (Unix)


I installed per the given instructions and I get an 'incorrect login' error everytime I or anyone else tries to login to my site. If I use the lost password function I get the new password just fine but It doesn't work. I installed this hack yesterday and all was well. I stayed logged into my account for over 12 hours but then XOOPS logged me out and I couldn't get back in under any account. What could be wrong? This is what my code looks like after I have finished installing the hack:

file include/common.php


file kernel/member.php



file include/checklogin.php



file user.php



I think I should let you know that this hack is not the only alteration to the above mentioned files. I also have IBFM and 4images modules installed which also make changes to the common.php, checklogin.php and member.php. I don't know about user.php. I don't know if there may be a possible hack conflict but I thought it wouldn't hurt to mention the other file alterations just in case. I appreciate any help you can give me. If you need me to provide any other info like the complete .php files mentioned above, just let me know.


I am really looking forward to using this wonderful hack! Thanks AndreyRa for creating it and _masi for the wonderful idea!

Quote:
I wish you successful rest!

I here have thought. It is possible to add the third parameter - the control sum. Which sense will be in hashing the line basing on the password of the user + a confidential word. I thought that such word cannot be thought up, since a code of script is open. And has then thought up, that this word should become the password of the administrator (i.e. the user with ID = 1). Thus we receive binding to the password of the administrator as a confidential key. Quite reasonable way of protection. Basically, to break it is possible, but not so it is easy. And it is more probable only individual login, by peeping traffic of the client. The given way will protect system first of all from bruteforce of hashes from the widespread passwords.

Well as? Secure enough?

mmm. Administrator can replace the password! It is necessary to search for other binding. But what?

Quote:
For this purpose I was necessary to make changes in SQL. I mean it strong structural changes. Such changes can make impossible successful updating of a XOOPS in future. On this they should be brought extremely by development of the new version (I mean in CVS).

Quote:
Yes, so. Now I have made changes to the first message where has specified the given feature separately.

And still I have changed a way of storage of a name of the user in an open kind, for user ID.

uhm, oh yea passw is not stored in cookie, only the md5 hash ?

Hmm, I'm sure there is way to use a "secret" cookie style without changing the internal stored format (ie plain login and hashed password). I'll try and think of a method - it'd be on paper cause I'm off to a vacation soon.

And you don't need to change many things to get something configurable. XOOPS provides a quite advanced configuration system. It uses a general table and an OO-API for access. I'll dig up some info for you how to use it.

Hi, Knight!
You said to me?
Quote:
I did not solve..
I applied only session.php, so I will try to change the template.

Quote:
The password stored as md5 hash. Actually the password stored as hash in XOOPS database. There only one security issue - login stored as is. Basically it is possible to add procedure, for additional converting a name in user-id. And perhaps I shall engage in it in the near future.

For paranoiacs it is possible to add additional hashed parameter as IP + secret word. But in that case it can not work for people with dynamic IP's.

As to sessions is it is possible to realize only the profound programming of a core. Such a format of the given forum - it will be simply impossible to describe. I am afraid, that it can be made only in format of official CVS.

Quote:
It will cause change too many parts of XOOPS too.

Quote:
I work just in this direction. Also I hope, that I shall find mutual understanding with developers of Xoops.
In this direction I have laid out the full list of my works here: Some useful hacks.

Quote:
My hack is not dependent from your hack. I personally used yours hack and have received a heap of pleasure. Thank for good idea! And a good and compact code.

A good start and a fine feature. But I have a few issues.

I don't think it is a good idea to store the actual password in the cookie nor it is to send out a simple hashed version of it. Have a look at sourceforge, they use even a hashed/encrypted login plus a special session_persist cookie.

And of course this feature has to be configurable
A config to turn it on and off and another one to configure the timeout in days.

Anyway I'd love to see this in the official XOOPS.

PS: BTW, I posted an ugly autologin hack myself. It's about an auto-login after an auto-approved registration. Perhaps you could integrate this as well, while you're at it

When a "anonymous" user browses my forums & then uses the login block to login, the user is sucessully logged in however the following message appears:


Error: Forum not selected


Then the user is taken to the forum home page i.e. /modules/newbb/. I do not have this issue with any other mod.

Happens with ver 2.02 & 2.03. I can reproduce this problem on Windosws systems running IIS 4, 5, 5.1 & 6. I have tried it both with registe_globals on & off with no change in bahavior.
PHP Version : 4.3.2 Any ideas?

i wonder you solve the problem already ?
facing same problem, i just remove the
width="<{$image.width}>" height="<{$image.height}>" from the template and the pic is showing now...

anyway thanx for this patch