Hi,
We're using OpenCart v1.5.4.1 and am running into a problem with the opencart store, NOT the admin side.
We have customers who forgot their password and click on the "forgotten password" link. They type in their email and get a confirmation that their password is reset. They then go into their email to retrieve the new password.
Upon entering that new automatically generated password into the store log in, they still get the error "Warning: No match for E-Mail Address and/or Password."
When I tested it and reset my own password on the store front, and used the automatically generated password, it does NOT work, but entering my original password does.
It seems the forgotten password link generates a new password, but does not overwrite the old password in the database. Is there a fix or other people experiencing this in their cart? I've done a search on the forums and only found problems with the "admin dashboard" side, not the store side.
Thanks in advance!
just did a test...
we have two carts...one without ssl -> forgotten password link works in resetting password
one with SSL does not work
I then turned off SSL to test the forgotten link and it still doesn't work. It sends the email, but the new password doesn't access the account. The old password still works.
we have two carts...one without ssl -> forgotten password link works in resetting password
one with SSL does not work
I then turned off SSL to test the forgotten link and it still doesn't work. It sends the email, but the new password doesn't access the account. The old password still works.
Try this - in /catalog/model/account/customer.php find:
And replace it with:
Code: Select all
public function editPassword($email, $password) {
$this->db->query("UPDATE " . DB_PREFIX . "customer SET salt = '" . $this->db->escape($salt = substr(md5(uniqid(rand(), true)), 0, 9)) . "', password = '" . $this->db->escape(sha1($salt . sha1($salt . sha1($password)))) . "' WHERE email = '" . $this->db->escape($email) . "'");
}
Code: Select all
public function editPassword($email, $password) {
$this->db->query("UPDATE " . DB_PREFIX . "customer SET salt = '" . $this->db->escape($salt = substr(md5(uniqid(rand(), true)), 0, 9)) . "', password = '" . $this->db->escape(sha1($salt . sha1($salt . sha1($password)))) . "' WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "'");
}
-Ryan
Thanks rph!
This seems to have solved the problem. It appears that if the customer has upper and lower case combinations entered in the "forgot password" email address, it won't save the new password in the database, even though a "success" message shows up.
It seems your fix makes everything lowercase before searching in the database...which seems to have done the trick.
Thanks!
P.S. Should this be reported as a bug and added as a fix?
This seems to have solved the problem. It appears that if the customer has upper and lower case combinations entered in the "forgot password" email address, it won't save the new password in the database, even though a "success" message shows up.
It seems your fix makes everything lowercase before searching in the database...which seems to have done the trick.
Thanks!
P.S. Should this be reported as a bug and added as a fix?
Thanks a ton, rph! I was having this same issue with 1.4.9.6, (though I didn't know the cause - after testing what was said here, sure enough, it was uppercase characters mixed into e-mail addresses) and was able to look at the two changes you made to the 1.5.x code and make the same changes to the code for 1.1.4.9.6, and it works perfectly now! For anyone using 1.4.9.6, or likely most 1.4.9 and possibly some earlier versions, here's the code for your version of this fix:
In /catalog/model/account/customer.php find:
And replace it with:
In /catalog/model/account/customer.php find:
Code: Select all
public function editPassword($email, $password) {
$this->db->query("UPDATE " . DB_PREFIX . "customer SET password = '" . $this->db->escape(md5($password)) . "' WHERE email = '" . $this->db->escape($email) . "'");
}
Code: Select all
public function editPassword($email, $password) {
$this->db->query("UPDATE " . DB_PREFIX . "customer SET password = '" . $this->db->escape(md5($password)) . "' WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "'");
}
Who is online
Users browsing this forum: No registered users and 155 guests