Vizworld (@vizworld)

Forum Replies Created

Viewing 8 replies - 1 through 8 (of 8 total)
  • @vizworld

    Member

    Ok, I fixed it.. Kinda.. It’s a nasty fix, but it _does_ work (I’m using it on http://www.Vizworld.com now).

    A quick cliffnotes version:

    Took 2 main changes.. a) I had to update the validate_auth function in the _freshly_Baked_cookies plugin to make it work with the new password-including authentication. b) I had to modify the bb-include/pluggable.php to use the new algorithms for salting & auth (wp_salt and wp_auth). The ones that ship with bbpress don’t pass a Schema around, and apparently it’s important now.

    If you want the two files, you can download them from http://www.yeraze.com/bbpress-wp2.8-fbc_fix.tgz . i really hope _ck_ can take a look at this and see if it can all be encapsulated within the fbc plugin.. As it is now, soon as I upgrade bbpress I’ll lose it again.

    @vizworld

    Member

    Ok.. I’m not 100% on this, but it seems the cookie hashing algorithm changed in WP2.8 .

    In WP2.7, in wp-includes/pluggable.php (line 512)

    if ( $expired < time() ) {

    do_action('auth_cookie_expired', $cookie_elements);

    return false;

    }

    $key = wp_hash($username . ‘|’ . $expiration, $scheme);

    $hash = hash_hmac(‘md5’, $username . ‘|’ . $expiration, $key);

    and in 2.8:

    // Quick check to see if an honest cookie has expired

    if ( $expired < time() ) {

    do_action('auth_cookie_expired', $cookie_elements);

    return false;

    }

    $user = get_userdatabylogin($username);

    if ( ! $user ) {

    do_action(‘auth_cookie_bad_username’, $cookie_elements);

    return false;

    }

    $pass_frag = substr($user->user_pass, 8, 4);

    $key = wp_hash($username . $pass_frag . ‘|’ . $expiration, $scheme);

    $hash = hash_hmac(‘md5’, $username . ‘|’ . $expiration, $key);

    So, in 2.8 the hash is salted with 4 character’s of the USer’s password. The “freshly_baked_cookies” plugin hasn’t been upgraded to match this change, so it always fails to match the hashed cookies.

    Unfortunateyl,the get_userdatabylogin function doesn’t seem to exist in bbpress…..

    @vizworld

    Member

    I’m seeing something Similar on VizWorld.com. AFter upgrading WordPress to 2.8, I’m not unable to login to the Forums (www.vizworld.com/forum). I’m also using the “freshly baked cookies” 0.3.

    Upgrading to BBPress .9.0.5 hasn’t helped…

    @vizworld

    Member

    Well I gave up.. I reverted to 0.9 & the “Freshly BAked Cookies” plugin, and managed to restore everything (with about 45 minutes work).

    @vizworld

    Member

    The problem is coming from line 86 of the wp_auth class, where “set_current_user” calls the “do_action(‘set_Current_user’)”, which destroys the cookie necessary for the Admin AUthentication.

    It’s called from bb_settings.php line1036…. So, how do we fix it?

    @vizworld

    Member

    It looks like something calls wp_auth_object’s set_current_user, before it verifies the cookie.. So when it gets into the WP_Auth’s “validate_auth_cookie”, the necessary cookies have been erased.

    @vizworld

    Member

    If it helps, I’m using the 1.0.6 Alpha, downloaded yesterday.

    @vizworld

    Member

    No luck, still redirects with the ?123412341234 added… Deleting cookies hasn’t helped either.. Tried it about 6 times now :-(

Viewing 8 replies - 1 through 8 (of 8 total)