Passwords Reset; Password Format Changed

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
6/24/2008 6:59:43 AM
subflux
Gravatar
Total Posts 43
View Posts

Passwords Reset; Password Format Changed

Hi,

For some reason while using mojoportal (MSSql) this morning the "Password Format" security setting of the mojoportal site (child site) I was using changed to "plain text" from "Hashed in DB/Cannot be recovered", and all the user's passwords have been reset. The parent site's security setting is still "Hashed in DB/Cannot be recovered", and a sibling child site is the same. In the database the parent and sibling's users still have hashed passwords. I can't manually change the security setting of the child site since the dropdown list is greyed out. I'll make this change in the DB.

The symptom of this issue was as follows: I logged in to the child site, changed some themes around, then logged out. I coulndn't log in again (authentication error) so assumed I'd forgotten my password (that I used a few mins before). I checked the DB to see if I recognised the password hash to discover all the users for this child site with plaintext passwords.

I checked my database backup and all passwords are encrypted, so I know it's not my imagination.

I see no error log in currentlog.config - the SQL transaction logs are also not enough to explain what happened - how can I tell what triggered mojoportal to do this?

Can I set up some sort of logging with Mojoportal? I could recover the database to the backed up version, then try changing themes again?

I can't risk using mojoportal if this is going to happen again. It's the equivalent of all site users being locked out simultaneously.

Thanks,

Kenny

 

 

 

6/24/2008 8:12:36 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Passwords Reset; Password Format Changed

Hi Kenny,

Changing a skin in a child site should not cause a change in password format unless the password format dropdown is also changed.  I will take a shot at trying to reproduce the problem here. If I find I can produce it or if you can tell me steps to reproduce it I will consider it a high priority bug and fix it right away. Maybe you can replicate the problem on a dev machine and tell me the steps to produce it? Are you using the newest version of mojoPortal?

Hope it helps,

Joe

6/24/2008 9:03:07 AM
subflux
Gravatar
Total Posts 43
View Posts

Re: Passwords Reset; Password Format Changed

I have reverted the DB to the nightly backup. I can't imagine how this happened, and certainly if it does happen again I can just revert the database to the previous version.

Going through

Is there any audit logging that I can enable to track this sort of thing, so I'll know what went on if it happens again?

Thanks,

Kenny

6/24/2008 9:16:12 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Passwords Reset; Password Format Changed

You can get more verbose logging if you set log level to debug in log4net.config, but whether that actually would show anything relevant would depend on the debug logging statements in the code.

I've just tried steps to see if I could reproduce the problem but so far have not been able to. The only thing I found is that if I change the password format on purpose for a child site from the master site, login fails in the child site until the app is recycled by tocuhing web.config. This is due to the heavy caching of the MembershipProviders by the runtime though so not much I can do but document it. Changing password format on purpose should be a very very seldom event in most cases though so this should be sufficient.

I have not been able to produce the symptom you saw though which was the apparent change of password format not on purpose but just as a side effect of other sitesettings changes and with the dropdown disabled at the time. Its possible I'm just not replicating your environment or the steps you took correctly. If you can reproduce it on your dev machine or tell me any other things that could be factors in reproducing it please let me know.

I'll review the code for site settings updates now and try to think of any situations that could cause this.

Best,

Joe

6/24/2008 9:18:48 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Passwords Reset; Password Format Changed

I suppose the other possible audit point is SQL. There are ways of logging sql activity that might enable you to track which procs are executed and what is passed to them. Maybe you could filter it to just procs that touch mp_Sites. I don't know all the steps but I know it can be done.

Best,

Joe

6/24/2008 10:35:55 AM
subflux
Gravatar
Total Posts 43
View Posts

Re: Passwords Reset; Password Format Changed

Hi Joe,

Thanks for your swift response as always.

I've tried to replicate this in the same development environment where it ocurred several times and have not so far replicated this. I'll keep a better track of what I'm doing. I'll start a sql server trace for the DB so that I can see what is happening if it reoccurs. I'll look into adding some appropriate verbose log4net auditing too.

All the best,

Kenny

You must sign in to post in the forums. This thread is closed to new posts.