Gossamer Forum
Home : Products : DBMan : Customization :

Still having trouble with .pass file (secure password mod)

Quote Reply
Still having trouble with .pass file (secure password mod)
Hello,

I'm still having trouble with JPDeni's secure password mod. All users except the current one get wiped out of the .pass file every time I use the interface (not the admin) to change a password.

Here's what I've done, as an experiment:

I installed a completely fresh, generic copy of dbman, verified it all worked, then added an EmailAddress field (missing from the freshly-installed database) in the .cfg and html.pl so it would be there for the mod. This too worked just fine.

I then deleted all but three entries from the fresh database and made sure they each had an email attached in the right spot. I did the same for the .pass file. Finally, I added the secure password mod.

Everything works, except for using the interface to change a password (changing email works just fine as well as using the admin display to change a password).

When I use the interface, the .pass file gets re-written with only the entry for the current user; all other users are deleted.

My files (text format) are at the following URL for reference:

http://www.canopydigital.com/dbman-mod

Can someone help me troubleshoot this?


[This message has been edited by Glen Payne (edited September 14, 1999).]
Quote Reply
Re: Still having trouble with .pass file (secure password mod) In reply to
The solution is like the old joke about the guy who goes to a doctor and says: Doc, it hurts when I raise my arm like this." The doctor replies, "so don't raise your arm like that".

The interface is meant for each user to be able to change their password. As the administrator, use the admin screen to do it for others. You may have discovered a bug in the program. After making a copy of my password file, I may try to duplicate your problem. In the meantime, I would suggest using the program and mod the way it is intended. That will definitely solve the problem. it will also allow you to use the database while the problem of erasure if misused is eliminated.
Quote Reply
Re: Still having trouble with .pass file (secure password mod) In reply to
I can't change the password from the interface using the mod I got from Carol. You may have the variation that Eliot mentioned, which he noted had some bugs. This may be one of them.
Quote Reply
Re: Still having trouble with .pass file (secure password mod) In reply to
Hi ER,

Thanks for the check-up Smile !

Seriously, If I'm misusing the mod, I don't know how I'm doing so. Just to be clear, there are two scenarios:

1. I log in as admin and change somebody--anybody--else's password, using the admin screen. This works every time, and updates both the .pass and the record in the db.

2. I log in as somebody else (a test account with view/add/modify/delete but no admin priveleges). I click 'change password' and enter a new one into the dialog. Everything reports success (as far as I can see as this test account), and I log in using my new password.

Under scenario 2, however, this test account is now the only user who can log in at all, as the .pass file contains only his entry.

Have I misread how this mod is to be used by non-admin users?

BTW, I see that you posted a second time and mentioned you can't change the password either from the mod you got from Carol. Did you test the mod yourself? You also mentioned a variation (that Eliot mentioned). So is this bugs? Did Eliot or anyone suggest a fix?

I'm happy to get any clarification I can, so I know where to look or can adjust how I use the mod!


[This message has been edited by Glen Payne (edited September 15, 1999).]
Quote Reply
Re: Still having trouble with .pass file (secure password mod) In reply to
ER,

Thank you, I'll take a look at your files.

At one point, you mention 'Eliot's variation' or 'the code mentioned in an earlier message I referenced earlier.' Later, you mention only using Carol's code. Are these the same? I'd appreciate a pointer to what you are referring to.

If it's a thread in this forum, I either cannot locate it (did search on all Eliot's posts and spent lots of time reading), or am confused about the history of this mod.

(BTW, I did in fact install Carol's most recent mod over a fresh and plain install of dbman, but the problem remained.)

Anyhow, I do appreciate your interest so far, and look forward to more help.

Quote Reply
Re: Still having trouble with .pass file (secure password mod) In reply to
Like I mentioned to Marcus, at this point, I think the best thing to do is to contact Carol (JPDeni) via email or patiently wait for her return to the Forum. We really need to clarify the .pass issue with Carol since she wrote the Mod and may be able to provide better advice on debugging your scripts.

Just a suggestion.

Wink

Regards,

------------------
Eliot Lee
Founder and Editor
Anthro TECH, L.L.C
http://www.anthrotech.com/
info@anthrotech.com
==========================
Coconino Community College
http://www.coco.cc.az.us/
Web Technology
Coordinator
elee@coco.cc.az.us
Quote Reply
Re: Still having trouble with .pass file (secure password mod) In reply to
Glen,

Take a look at http://www.gossamer-threads.com/scripts/forum/resources/Forum12/HTML/000984.html

Carol's code is the code I was refering to. The post noted above will show you what Eliot's variation is. I agree with him about Carol being best equipped to debug it, though it does work now on my database.
Quote Reply
Re: Still having trouble with .pass file (secure password mod) In reply to
Apparently, I misunderstood what you meant. You weren't mis-using it. I thought you were logging in as admin and changing passwords for other users from the interface as admin. You said that the password file erases all others except the regular user you log in as. That is very different and a definite problem.

Yes, I did test the mod as a regular user, (several times) and it works well. I did it with the codes from Carol and have not tried Eliot's variation. The one limitation I have (that I'm aware of) is that I can't create new accounts, and that's okay. I'll try his variation later.

If you want to try a working copy, you can copy my files. They are available in text format at http://diverlink.com/members Just modify the changes for your server and database and they should work for you.

You will propably want to rename the cfg file (mine is members,cfg) and the html.pl file (mine is fmhtml.pl) and both will need several changes to make them reflect your needs. However, the mod works. I also have a Verify records added mod in it but it doesn't function (though Carol has checked the code and can't find anything wrong). It doesn't cause any problems, though.

An alternative is to add the code mentioned in an earlier message I referenced earlier, to a fresh DBman and start from there. Only use the code that Carol gave and test it before you make any changes.

You might have a bug, or possibly an error in syntax. One little mistake, a single character, can cause a problem. You can go on a bug hunt or work around it. Either way, there is a solution for your problem. I have found several people here very helpful in solving most of mine (at least the ones related to the database .


[This message has been edited by ER (edited September 16, 1999).]

[This message has been edited by ER (edited September 16, 1999).]
Quote Reply
Re: Still having trouble with .pass file (secure password mod) In reply to
Hi ER -- a line-by-line comparison of your subroutine change_password versus the one from Carol's mod site shows some differences. I am using 'your' version of the subroutine (I lifted it from http://www.diverlink.com/members), and indeedy do, it works ( ).

However, with your variation of the subroutine, the script does NOT check for a correct password when using the change password dialog as a regular user in the interface.

I just thought I'd mention it in case somehow you weren't aware of it.
Quote Reply
Re: Still having trouble with .pass file (secure password mod) In reply to
I downloaded the copy from the the resources section here. It is possible that there are variances from the copy on Carol's site.

I have the optional sub-routines installed also. The change password mod seems to work fine.

What do you mean when you say the script does not Maybe the reason the script does not check for a correct password when using the change password dialog?

Do you mean it doesn't check the new password against the two entries to make sure it was entered consistently?

Carol may have made some refinements that appear on the version on her site and not the one here.
Quote Reply
Re: Still having trouble with .pass file (secure password mod) In reply to
Sorry, I wasn't very clear.

I meant to say the script doesn't check to make sure the OLD password was a correct match. So you can just type in any junk, enter a new password twice, and change the password.

Somewhere on this forum JPDeni talks about this -- must've been during development of the mod. Originally, the thinking was you wouldn't even be able to get to the change password screen if you hadn't logged in. Later, more thinking turned up a scenario under which you this was either untrue or undesirable.

I'm trying to locate that thread.
Quote Reply
Re: Still having trouble with .pass file (secure password mod) In reply to
Was it the secure password mod from Carol's site that might have caused the problem? The difference in our results could be that I used her mode from the resources section here, which you've already noted has some differences. We'll have to check with her in a few days when she is back, caught up on everything else, and able to help further.

I hope you find that discussion you referred to. I'd like to see the scenarios where there might be a problem.
Quote Reply
Re: Still having trouble with .pass file (secure password mod) In reply to
Hello again, ER,

Found it, and I feel like an idiot.

http://www.gossamer-threads.com/scripts/forum/resources/Forum12/HTML/000879.html

The above was posted on Sept 01, one day before the date that appears in JPDeni's current secure_lookup.txt. By the way, it turns out there isn't two versions of the mod, as both the resource center here and JPD's site point to the same Sept. 02 file.

Anyhoo, looks like after she answered fharris' question, Carol republished the mod to incorporate the new functionality. Then, much to our (and MANY MANY others'!!) dismay and worry, began not feeling well. The routine I got from your site--the one that works except for the old pw check verification--must've been just a prior version. The new one probably just didn't get the benefit of Carol's full-on testing and critical eye.

Sheesh ! I've been going crazy with the mystery of this thing (and banging my head on this forum's search). At least I can put to rest all the dark enigmas that were developing in my head of which version was whose and when, and why some folks say the mod is fine and others don't.

Okay! Now I'll take Eliot's excellent advice and go do something else until Carol fires up the incredible mind she has for this stuff again.
Quote Reply
Re: Still having trouble with .pass file (secure password mod) In reply to
Ahha! Fixed it!

I am both happy and humbled to say that I have found what turns out to be (don't they all?) the simple fix for the secure password lookup mod.

Seems Carol's currently published mod is missing a few lines in the subroutine change_password.

After
Code:
PASS: foreach $pass (@passwds) { # Go through each pass and see if we match..
next PASS if ($pass =~ /^$/); # Skip blank lines.
chomp ($pass);
($userid, $pw, @rest) = split (/:/, $pass);
if ($userid eq $db_userid) {
$found = $pass;
unless (crypt($in{'old'}, $pw) eq $pw) {
$message = "old password is incorrect";
}
}

but BEFORE the next closing curly brace, you need to add
Code:
else {
$output .= $pass . "\n";
}

This does the trick.

I've posted the complete sub change_password at
http://www.canopydigital.com/fixed-mod/sub-change_password-FIXED.pl.txt
in case anyone can benefit from having the whole subroutine.


I guess I ought to let Carol know so she can fix her mod on her site. She progammed the mod correctly, because she explained it correctly to fharris in a post I mentioned in a prior message.

It was probably just a copy/paste error when she rewrote the mod to incorporate what fharris wanted.

Whew! Crushing your head to find a small typo like that IS humbling. I'm glad I could contribute something, anyway, to Carol's excellent mod!



[This message has been edited by Glen Payne (edited September 17, 1999).]
Quote Reply
Re: Still having trouble with .pass file (secure password mod) In reply to
Glen,

That did it, all right. I've installed the revisions, tested them, and they work fine. You neglected to include the changes necessary in the html.pl file in your fixed copy, which deals only with the changes to db.cgi However, since you made reference to the earlier post on the subject, I was able to take them from there.

The occasions when not checking the old password hadn't occured to me either. I know a lot of our members access the 'Net from work and checking the old password is a good precaution. Most programs I know that allow password changes ask for the old one as well as the new one twice. Now, the password mod does too.

This was a great collaborative effort.

One thing about computers is that they can tech you to think, not to take things for granted, and to be cautious in your work, checking evey step of the way. If you don't you find out the consequences really fast. It can also remind us that we all can overlook things and make mistakes, and that often others can help make one of our ideas better. In that respect, they can be most humbling, (except for those of us who have already learned those lessons and remain humble )
Quote Reply
Re: Still having trouble with .pass file (secure password mod) In reply to
Collaborative. Ayep! That's why I love perl, Alex's scripts, Carol's mods, and especially the support from this forum and from Alex and Carol, you, Eliot, and many others. I can't say how many times have I reaped huge benefits from lurking over other posts about many other script bugs, mods, or tweaks.

Just to be clear on one point for anyone else reading this thread: I only posted a replacement change_password subroutine for Carol's secure_lookup mod.

That's just one subroutine out of the whole mod, although in itself it's complete. I did not try to post any of the other changes necessary to make this mod work, since they are all in Carol's mod already, which can be acquired at http://www.jpdeni.com/dbman/mods.html. Hopefully, she will swap in this little fix and republish the whole thing.

Next puzzle: if I could just get my counter to read 00001, 00002, 00003, etc....!
Quote Reply
Re: Still having trouble with .pass file (secure password mod) In reply to
I feel the same way about the program and the support here. From simple mods like tuehing URL and e-mail fields into hyper links to more complex mods like the secure password one, there is a tremendous amuont of talent and help here.

I.m not a programmer, so the amoun t of help I can provide is more limited than many othersm but I've been able to help a bit from things I've had to figure out. Sometimes I'm able to help by passing on information found elsewhere.

I've already added this correction to Carols' mod and sent it to her so she can update the downloadable version.

I was thinking that we might want to add some of the more desirable and frequently asked for mods to the resources section, taking the code from that supplied here. It would make it easier for new peope to find and implement earlier. A week or two ago, Alex responded to an e-mail I sent and said he would be releasing a new version of DBMAn soon that incorporates many of the modsm so it is probably a good idea to wait until then.

I'm just pleased that with all the help available here, that it keeps getting better and better.