[Vizworld]

Ok, I fixed it.. Kinda.. It’s a nasty fix, but it _does_ work (I’m using it on http://www.Vizworld.com now).

A quick cliffnotes version:

Took 2 main changes.. a) I had to update the validate_auth function in the _freshly_Baked_cookies plugin to make it work with the new password-including authentication. b) I had to modify the bb-include/pluggable.php to use the new algorithms for salting & auth (wp_salt and wp_auth). The ones that ship with bbpress don’t pass a Schema around, and apparently it’s important now.

If you want the two files, you can download them from http://www.yeraze.com/bbpress-wp2.8-fbc_fix.tgz . i really hope _ck_ can take a look at this and see if it can all be encapsulated within the fbc plugin.. As it is now, soon as I upgrade bbpress I’ll lose it again.

[Vizworld]

Ok.. I’m not 100% on this, but it seems the cookie hashing algorithm changed in WP2.8 .

In WP2.7, in wp-includes/pluggable.php (line 512)

if ( $expired < time() ) {

do_action('auth_cookie_expired', $cookie_elements);

return false;

}

$key = wp_hash($username . ‘|’ . $expiration, $scheme);

$hash = hash_hmac(‘md5’, $username . ‘|’ . $expiration, $key);

and in 2.8:

// Quick check to see if an honest cookie has expired

if ( $expired < time() ) {

do_action('auth_cookie_expired', $cookie_elements);

return false;

}

$user = get_userdatabylogin($username);

if ( ! $user ) {

do_action(‘auth_cookie_bad_username’, $cookie_elements);

return false;

}

$pass_frag = substr($user->user_pass, 8, 4);

$key = wp_hash($username . $pass_frag . ‘|’ . $expiration, $scheme);

$hash = hash_hmac(‘md5’, $username . ‘|’ . $expiration, $key);

So, in 2.8 the hash is salted with 4 character’s of the USer’s password. The “freshly_baked_cookies” plugin hasn’t been upgraded to match this change, so it always fails to match the hashed cookies.

Unfortunateyl,the get_userdatabylogin function doesn’t seem to exist in bbpress…..

[Vizworld]

I’m seeing something Similar on VizWorld.com. AFter upgrading WordPress to 2.8, I’m not unable to login to the Forums (www.vizworld.com/forum). I’m also using the “freshly baked cookies” 0.3.

Upgrading to BBPress .9.0.5 hasn’t helped…

[Vizworld]

Well I gave up.. I reverted to 0.9 & the “Freshly BAked Cookies” plugin, and managed to restore everything (with about 45 minutes work).

[Vizworld]

The problem is coming from line 86 of the wp_auth class, where “set_current_user” calls the “do_action(‘set_Current_user’)”, which destroys the cookie necessary for the Admin AUthentication.

It’s called from bb_settings.php line1036…. So, how do we fix it?

[Vizworld]

It looks like something calls wp_auth_object’s set_current_user, before it verifies the cookie.. So when it gets into the WP_Auth’s “validate_auth_cookie”, the necessary cookies have been erased.

[Vizworld]

If it helps, I’m using the 1.0.6 Alpha, downloaded yesterday.

[Vizworld]

No luck, still redirects with the ?123412341234 added… Deleting cookies hasn’t helped either.. Tried it about 6 times now