Jump to content
sam

Error: Unable to Generate Hash when trying to login into Admin

Recommended Posts

Hi, I'm new to Processwire and I have to say that after reading through your forum and some of your tutorials I have taken the plunge and installed PW and quite like the CMF/CMS that you have developed and congratulate you and your communities efforts to date.

I have come up against a problem when trying to develop between multiple environments i.e. dev, staging, production. The problem I am facing is that after doing and ProcessWire 2.2.13 installation (without problems) on my dev environment and then I move the site to staging or another developers environment, when I try to login to the Administration area I get a error "Unable to generate password hash". I have tried to empty cache, both browser and physical files and still get the error message and I can't login to the control panel.

My Staging environments is running Apache 2 and PHP 5.2.17 (can't upgrade to 5.3 or 5.4 due to another cms legacy issue) and my Dev environment runs on MAMP 2.0 with Apache 2 and PHP 5.2.17 also.

I have checked AMP logs and can't see anything out of the ordinary there. Just wondering if I'm missing anything. Any help would be greatly appreciated.

Cheers Sambo.

Share this post


Link to post
Share on other sites

What about the hash key in the /site/config.php? This should be different from server to server install. Or maybe try disable fingerprint setting in there?

Share this post


Link to post
Share on other sites

Hi I Disabled fingerprint settings but I'm still getting the same error, how do I change the hash key?

Share this post


Link to post
Share on other sites

It's the same on my Dev and Staging, but I'm still getting an error. Reading the comment above the setting it says that it should be the same on both servers.

Share this post


Link to post
Share on other sites

Have checked session folder perms or delete them and cookies? Can you try using db session or are you using it?

Share this post


Link to post
Share on other sites

Sessions and Cache folders have nothing in them, and the perms are set to 777, just deleted the cookies and still not logging in. Where can I set db session?

Share this post


Link to post
Share on other sites

Hmm, The error you mention can't be found in PW, so is it an php error? Maybe something to do with PHP install and $config->userAuthHashType = 'sha1'; ?

Share this post


Link to post
Share on other sites

I check the PHP Logs and there isn't an error generated. My $config->userAuthHashType is set to SHA1.

Share this post


Link to post
Share on other sites

OK, I think this might be a PHP 5.2.17 error, if I change MAMP to use PHP 5.3.14 the error goes away and I can login, but my production server is running 5.2.17 so bit stuck here, is there some way to set this to a legacy encrypt/decrypt setting?

Share this post


Link to post
Share on other sites

I have php 5.2.9 and works all well. I don't think there legacy version.

As I said earlier you might check if $config->userAuthHashType = "sha1" is supported by your server or need different setting.

Also check php info to see if mcrypt blowfish is installed and what hash engines are available.

Share this post


Link to post
Share on other sites

Not sure how I can check if the server supports sha1 but I checked my php info page and below are the settings on the server.

mcrypt.jpg

hash.jpg

Cheers Sambo.

Share this post


Link to post
Share on other sites

That error message is coming from this file:

/wire/core/Password.php

if(!is_string($hash) || strlen($hash) <= 13) throw new WireException("Unable to generate password hash");

It sounds like the server supports Blowfish but when PHP is asked to return a blowfish hash, PHP's crypt function is returning an error for one reason or another. 

ProcessWire only uses $config->userAuthHashType if the server does not support blowfish. The reality is, it's a bad idea to use anything less when blowfish is available. But in your case, it sounds like we've got the server reporting "I can do blowfish" and then bowing out when we ask it to do so. What you might want to try to do is modify that Password.php file and change this function:

public function supportsBlowfish() {
  return defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH;
}
to this:
 
public function supportsBlowfish() {
  return false;
}

If that fixes it, please let me know. I can add a config option to bypass blowfish

Share this post


Link to post
Share on other sites

I actually got this same error just today on one dev site. It has been running dev versions and when trying to change password it threw that error. I updated to latest dev and still same. But just for this one user, others and new ones work just fine.

Share this post


Link to post
Share on other sites

Hi Ryan I commented out the function in Password.php and added the recommended one into the file straight after it, but it still throws the same error.

Share this post


Link to post
Share on other sites

@sam, @apeisa: can you replace the line that says this (in /wire/core/Password.php):

if(!is_string($hash) || strlen($hash) <= 13) throw new WireException("Unable to generate password hash");

with this:

if(!is_string($hash) || strlen($hash) <= 13) 
  throw new WireException("pass=$pass | hash=$hash | hashType=$hashType | salt1=$salt1");

Let me know what it says? I'm curious what sort of data is in there. 

Share this post


Link to post
Share on other sites

No probs, following is the error output:

pass=mXXXXXX | hash=$2sNTd9VF43kk | hashType=blowfish | salt1=$2y$11$pTGSdPI7.YVGe70VuRhF6e

Just to clarify, I still have this function set as well:  

public function supportsBlowfish() { return false; }

and the following for salt:

$config->userAuthSalt = '572fe5f9277ca75a16f78330eb3a0279';

field_password table in the database shows the following:

pages_id   data                               salt
41         FDUxEZx7t/1FDuDfB0wcwJrNSJ5rN/6    $2a$11$kPxOgAJBU6.fnYF0cE0jh.

Cheers Sambo

Share this post


Link to post
Share on other sites

Sounds like a bug in is_string() in PHP 5.2.17 or perhaps the string with the leading dollar in it is being interpolated by PHP somehow leading to a string that is shorter than 13 characters. What do you get for this...

$hash = '$2'; // Make sure you use single quotes here please.
if (!is_string($hash)) {
    echo "Buggy";
} else {
    echo "Interpolation maybe?";
}

...?

Edited to add: Ignore the above, I posted at about 5am after an all-night bug hunt.

Possibly unrelated: there are reports of Crypt() differences coming in between different PHP versions. Sorry I don't have time to look at this more but very busy at the moment.

Share this post


Link to post
Share on other sites

I'm away from that machine at the moment, I'll have a look when I get to it in about 5 hours.

Share this post


Link to post
Share on other sites
pass=mXXXXXX | hash=$2sNTd9VF43kk | hashType=blowfish | salt1=$2y$11$pTGSdPI7.YVGe70VuRhF6e

That part I underlined and bolded above is revealing. What type of hash is indicated by $2s? It's not documented with PHP. Blowfish uses $2y, $2x and $2a. I incorrectly assumed that the '$2' set was reserved for blowfish, and looking at this, clearly it's not. It looks to me like it must have fallen back to some kind of DES encryption, but I honestly have no idea what it is. I'm just glad we had that check in there to throw the error, and glad you came here to report it. :) I've updated the isBlowfish() function to specifically check for only $2y, $2x and $2a and assume anything else is not blowfish.

Can you try out the attached Password.php file to replace /wire/core/Password.php?

Password.php

You will have to reset the password for any accounts that have this unknown hash, as that hash is not portable across systems. You can reset a password from the API like this:

$u = $users->get('sam');
$u->of(false);
$u->pass = 'new-password';
$u->save();

Or you can just do it from the admin when logged into a superuser account. 

One other thing to note is that if your passwords are defined on a PHP 5.3.x or newer installation, and then migrated to an [older] PHP 5.2.x installation, the passwords will no longer work. This is because PHP 5.2.x doesn't have the ability to generate blowfish hashes (at least not the kind that are useful for passwords). So if our live server is PHP 5.2 and your dev is 5.3 or newer, only set your passwords on the live server.

I also want to recommend moving any PHP 5.2 installs to 5.3. We will be dropping support for PHP 5.2 either in ProcessWire 2.4 or 2.5, as we move to PSR-0 and namespace support. 

Share this post


Link to post
Share on other sites

Hi Ryan, I replaced the Password.php file and tried to change the user password but I kept getting "Internal 500 Errors" every time I tried to run it through a template or via the API from command line. Anyway I found it easier to actually setup another site in MAMP whilst I was using PHP version 5.2, then copy the "$config->userAuthSalt" setting to my existing config.php and the values in the "field_pass" database table to the existing sites database from the temporary site I setup. This now allows me to login and create extra users. 

All working now, until I upgrade my server to php 5.4 which will be in the next couple weeks, I'll remember to keep the PHP version to 5.2 both in Dev and Production environments.

Cheers Sambo.

  • Like 1

Share this post


Link to post
Share on other sites
Hi Ryan, I replaced the Password.php file and tried to change the user password but I kept getting "Internal 500 Errors" every time I tried to run it through a template or via the API from command line.

You should be able to get more detail by checking your log file: /site/assets/logs/errors.txt

All working now, until I upgrade my server to php 5.4 which will be in the next couple weeks, I'll remember to keep the PHP version to 5.2 both in Dev and Production environments.

The ideal situation would be to upgrade both to PHP 5.4. But if you can't upgrade the production environment and don't want to downgrade your dev environment, you could set that supportsBlowfish() function in Password.php to always return false. However, I would look at finding a way to get the production environment upgraded because ProcessWire 2.3 is likely the last version that will work on PHP 5.2 (though that's not yet certain). 

Share this post


Link to post
Share on other sites

Hi, just migrated one project to production server. My dev enviroment have PHP 5.4 and production server have only version 5.3.3-7.

So i had error: Unable to Generate Hash....

I solved it this way:

1. On localhost logged as admin

2. Changed file Password.php

from

public function supportsBlowfish() {
        return version_compare(PHP_VERSION, '5.3.0') >= 0 && defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH;
    }
 

to

public function supportsBlowfish() {
        /* HOSTING FIX */
        return version_compare(PHP_VERSION, '5.4.0') >= 0 && defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH;
    }
 

3. Changed admin password in users setup

4. Copied new values from local DB table field_pass (data,salt) to production DB.

This WORKAROUND fixed login problem.

Looks like we need better check in Password.php

Share this post


Link to post
Share on other sites

Blowfish hashing was added to PHP in 5.3, so any version 5.3 and newer supports it. However, a security problem was found in versions of PHP 5.3 prior to 5.3.7, so they fixed it. Newer versions of PHP are still compatible with the old, but versions prior to 5.3.7 are not compatible with passwords generated on newer versions of PHP. Since your host is using PHP 5.3.3, this is likely why you ran into an issue. But a commercial hosting provider should probably not be using a PHP version earlier than 5.3.7 due to that security issue. So the workaround is probably not a good idea since it is circumventing that. I strongly recommend asking your host to upgrade the PHP version.

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By franciccio-ITALIANO
      Hi, I need to provide a quite complex user registration form: description, subdescription, drop-down lists etc. 
      Through this registration, users will be able to access and comment.
      If someone responds to their comments, I would like a NOTIFICATION to appear when accessing their panel.
      My social interaction project is just that, it seems simple, I don't need more.
      Now I am undecided whether to use buddypress, elgg, or a native processwire system.
      What do you recommend? 
      If you recommend processwire, which modules should I install?
      Do they work or is processwire too immature for that?
      Translated with www.DeepL.com/Translator (free version)
    • By abdulqayyum
      Dear processwire community,
      i have a problem in loginRegister module, i could not add custom field in login and register page.
      i read from plugin documentation. they are saying.
      " By default, the email and password fields are required for both forms. You may want to add more fields. To do this, you’ll need to add fields to your “user” template. You can add fields to your user template in the admin by going to “Setup > Templates > Show system templates > user”.

      but i could not find similar scenario like “Setup > Templates > Show system templates > user”
      i can see just "Setup > Templates" not seeing "Show system templates > user" in my admin panel.

      Please help me in this case that how i can add custom field in these two page.
      Regards AbdulQayyum

    • By Noel Boss
      👋 PW Pros…
      I have some hooks that I need to bind at the init phase (or even __construct) and I was wondering, and I couldn't find a good and simple way to determine if I'm in the admin. Would be nice if there is a reliable short option to do so, but I can't seem to find one… Is there a coherent way to tell this no matter where I am?
      Right now, I use the following method inside one of my modules:
      public function isAdmin($page = null) { if ( strpos($this->input->url, $this->urls->admin) !== false || $this->process instanceof ProcessPageList || $this->process instanceof ProcessPageEdit || ($page instanceof Page && $page->rootParent->id == $this->config->adminRootPageID) ) { return true; } return false; } @ryan wouldn't it be nice to have something like wire()->isAdmin(); like wire()->user->isLoggedin(); to tell if we are in admin – very early on (probably even in __construct() phase of modules?
    • By Noel Boss
      Admin Theme Boss
      A light and clear theme based on Uikit 3
      Features
      Five unique color options Beautifully redesigned login screens Modern typography using Roboto Condensed Extended breadcrumb with edit links Extends AdminThemeUikit, so you can continue using all current and future AdminThemeUikit features Option to activate theme for all users Compatibility with AdminOnStreoids and other third party modules   Updated and Releases
      There is a shiny new release page where you can subscribe to updates for new releases of AdminThemeBoss.   Color Variants:
      ProcessWire Blue


       
      Dark Black


       
      Vibrant Blue

       
      Happy Pink

      Smooth Green *new with 0.6.1*

       
      Requirements
      Requires a current ProcessWire version with AdminThemeUikit installed and activated.
      Installation
      Make sure AdminThemeUikit is activated Go to “Modules > Site > Add New“ Paste the Module Class Name “AdminThemeBoss“ into the field “Add Module From Directory“ Click “Download And Install“ On the overview, click “Download And Install“ again… On the following screen, click “Install Now“

      Manual Installation
      Make sure the above requirements are met Download the theme files from GitHub or the ProcessWire Modules Repository. Copy all of the files for this module into /site/modules/AdminThemeBoss/ Go to “Modules > Refresh” in your admin Click “Install“ on the “AdminThemeBoss“ Module
    • By Anton
      Hi there,
      I'm working with Processwire 3. Before summer I had issues to load to my backend. I finally managed to connect thanks to this : 
      $admin = wire('users')->get('admin');
      $admin->setOutputFormatting(false);
      $admin->set('pass', 'yo12345ZZ')
      $admin->save('pass');
      But later, the problem evolved: when I logged in to the site, the login page redirected me to the home. I didn't find any information about it on the web.
      But recently, the redirection has changed, now it is the login page that reloads when you connect. 
      I don't know where to start to fix this. It looks like sorcery.
      Thank you for all the help you can give me.
       
×
×
  • Create New...