Jump to content
sam

Error: Unable to Generate Hash when trying to login into Admin

Recommended Posts

Hi, I'm new to Processwire and I have to say that after reading through your forum and some of your tutorials I have taken the plunge and installed PW and quite like the CMF/CMS that you have developed and congratulate you and your communities efforts to date.

I have come up against a problem when trying to develop between multiple environments i.e. dev, staging, production. The problem I am facing is that after doing and ProcessWire 2.2.13 installation (without problems) on my dev environment and then I move the site to staging or another developers environment, when I try to login to the Administration area I get a error "Unable to generate password hash". I have tried to empty cache, both browser and physical files and still get the error message and I can't login to the control panel.

My Staging environments is running Apache 2 and PHP 5.2.17 (can't upgrade to 5.3 or 5.4 due to another cms legacy issue) and my Dev environment runs on MAMP 2.0 with Apache 2 and PHP 5.2.17 also.

I have checked AMP logs and can't see anything out of the ordinary there. Just wondering if I'm missing anything. Any help would be greatly appreciated.

Cheers Sambo.

Share this post


Link to post
Share on other sites

What about the hash key in the /site/config.php? This should be different from server to server install. Or maybe try disable fingerprint setting in there?

Share this post


Link to post
Share on other sites

Hi I Disabled fingerprint settings but I'm still getting the same error, how do I change the hash key?

Share this post


Link to post
Share on other sites

$config->userAuthSalt = '...';

Share this post


Link to post
Share on other sites

It's the same on my Dev and Staging, but I'm still getting an error. Reading the comment above the setting it says that it should be the same on both servers.

Share this post


Link to post
Share on other sites

Have checked session folder perms or delete them and cookies? Can you try using db session or are you using it?

Share this post


Link to post
Share on other sites

Sessions and Cache folders have nothing in them, and the perms are set to 777, just deleted the cookies and still not logging in. Where can I set db session?

Share this post


Link to post
Share on other sites

Hmm, The error you mention can't be found in PW, so is it an php error? Maybe something to do with PHP install and $config->userAuthHashType = 'sha1'; ?

Share this post


Link to post
Share on other sites

I check the PHP Logs and there isn't an error generated. My $config->userAuthHashType is set to SHA1.

Share this post


Link to post
Share on other sites

OK, I think this might be a PHP 5.2.17 error, if I change MAMP to use PHP 5.3.14 the error goes away and I can login, but my production server is running 5.2.17 so bit stuck here, is there some way to set this to a legacy encrypt/decrypt setting?

Share this post


Link to post
Share on other sites

I have php 5.2.9 and works all well. I don't think there legacy version.

As I said earlier you might check if $config->userAuthHashType = "sha1" is supported by your server or need different setting.

Also check php info to see if mcrypt blowfish is installed and what hash engines are available.

Share this post


Link to post
Share on other sites

Not sure how I can check if the server supports sha1 but I checked my php info page and below are the settings on the server.

mcrypt.jpg

hash.jpg

Cheers Sambo.

Share this post


Link to post
Share on other sites

That error message is coming from this file:

/wire/core/Password.php

if(!is_string($hash) || strlen($hash) <= 13) throw new WireException("Unable to generate password hash");

It sounds like the server supports Blowfish but when PHP is asked to return a blowfish hash, PHP's crypt function is returning an error for one reason or another. 

ProcessWire only uses $config->userAuthHashType if the server does not support blowfish. The reality is, it's a bad idea to use anything less when blowfish is available. But in your case, it sounds like we've got the server reporting "I can do blowfish" and then bowing out when we ask it to do so. What you might want to try to do is modify that Password.php file and change this function:

public function supportsBlowfish() {
  return defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH;
}
to this:
 
public function supportsBlowfish() {
  return false;
}

If that fixes it, please let me know. I can add a config option to bypass blowfish

Share this post


Link to post
Share on other sites

I actually got this same error just today on one dev site. It has been running dev versions and when trying to change password it threw that error. I updated to latest dev and still same. But just for this one user, others and new ones work just fine.

Share this post


Link to post
Share on other sites

Hi Ryan I commented out the function in Password.php and added the recommended one into the file straight after it, but it still throws the same error.

Share this post


Link to post
Share on other sites

@sam, @apeisa: can you replace the line that says this (in /wire/core/Password.php):

if(!is_string($hash) || strlen($hash) <= 13) throw new WireException("Unable to generate password hash");

with this:

if(!is_string($hash) || strlen($hash) <= 13) 
  throw new WireException("pass=$pass | hash=$hash | hashType=$hashType | salt1=$salt1");

Let me know what it says? I'm curious what sort of data is in there. 

Share this post


Link to post
Share on other sites

No probs, following is the error output:

pass=mXXXXXX | hash=$2sNTd9VF43kk | hashType=blowfish | salt1=$2y$11$pTGSdPI7.YVGe70VuRhF6e

Just to clarify, I still have this function set as well:  

public function supportsBlowfish() { return false; }

and the following for salt:

$config->userAuthSalt = '572fe5f9277ca75a16f78330eb3a0279';

field_password table in the database shows the following:

pages_id   data                               salt
41         FDUxEZx7t/1FDuDfB0wcwJrNSJ5rN/6    $2a$11$kPxOgAJBU6.fnYF0cE0jh.

Cheers Sambo

Share this post


Link to post
Share on other sites

Sounds like a bug in is_string() in PHP 5.2.17 or perhaps the string with the leading dollar in it is being interpolated by PHP somehow leading to a string that is shorter than 13 characters. What do you get for this...

$hash = '$2'; // Make sure you use single quotes here please.
if (!is_string($hash)) {
    echo "Buggy";
} else {
    echo "Interpolation maybe?";
}

...?

Edited to add: Ignore the above, I posted at about 5am after an all-night bug hunt.

Possibly unrelated: there are reports of Crypt() differences coming in between different PHP versions. Sorry I don't have time to look at this more but very busy at the moment.

Share this post


Link to post
Share on other sites

I'm away from that machine at the moment, I'll have a look when I get to it in about 5 hours.

Share this post


Link to post
Share on other sites
pass=mXXXXXX | hash=$2sNTd9VF43kk | hashType=blowfish | salt1=$2y$11$pTGSdPI7.YVGe70VuRhF6e

That part I underlined and bolded above is revealing. What type of hash is indicated by $2s? It's not documented with PHP. Blowfish uses $2y, $2x and $2a. I incorrectly assumed that the '$2' set was reserved for blowfish, and looking at this, clearly it's not. It looks to me like it must have fallen back to some kind of DES encryption, but I honestly have no idea what it is. I'm just glad we had that check in there to throw the error, and glad you came here to report it. :) I've updated the isBlowfish() function to specifically check for only $2y, $2x and $2a and assume anything else is not blowfish.

Can you try out the attached Password.php file to replace /wire/core/Password.php?

Password.php

You will have to reset the password for any accounts that have this unknown hash, as that hash is not portable across systems. You can reset a password from the API like this:

$u = $users->get('sam');
$u->of(false);
$u->pass = 'new-password';
$u->save();

Or you can just do it from the admin when logged into a superuser account. 

One other thing to note is that if your passwords are defined on a PHP 5.3.x or newer installation, and then migrated to an [older] PHP 5.2.x installation, the passwords will no longer work. This is because PHP 5.2.x doesn't have the ability to generate blowfish hashes (at least not the kind that are useful for passwords). So if our live server is PHP 5.2 and your dev is 5.3 or newer, only set your passwords on the live server.

I also want to recommend moving any PHP 5.2 installs to 5.3. We will be dropping support for PHP 5.2 either in ProcessWire 2.4 or 2.5, as we move to PSR-0 and namespace support. 

Share this post


Link to post
Share on other sites

Hi Ryan, I replaced the Password.php file and tried to change the user password but I kept getting "Internal 500 Errors" every time I tried to run it through a template or via the API from command line. Anyway I found it easier to actually setup another site in MAMP whilst I was using PHP version 5.2, then copy the "$config->userAuthSalt" setting to my existing config.php and the values in the "field_pass" database table to the existing sites database from the temporary site I setup. This now allows me to login and create extra users. 

All working now, until I upgrade my server to php 5.4 which will be in the next couple weeks, I'll remember to keep the PHP version to 5.2 both in Dev and Production environments.

Cheers Sambo.

  • Like 1

Share this post


Link to post
Share on other sites
Hi Ryan, I replaced the Password.php file and tried to change the user password but I kept getting "Internal 500 Errors" every time I tried to run it through a template or via the API from command line.

You should be able to get more detail by checking your log file: /site/assets/logs/errors.txt

All working now, until I upgrade my server to php 5.4 which will be in the next couple weeks, I'll remember to keep the PHP version to 5.2 both in Dev and Production environments.

The ideal situation would be to upgrade both to PHP 5.4. But if you can't upgrade the production environment and don't want to downgrade your dev environment, you could set that supportsBlowfish() function in Password.php to always return false. However, I would look at finding a way to get the production environment upgraded because ProcessWire 2.3 is likely the last version that will work on PHP 5.2 (though that's not yet certain). 

Share this post


Link to post
Share on other sites

Had the same problem, upgrading to PHP 5.4 solved it.

Share this post


Link to post
Share on other sites

Hi, just migrated one project to production server. My dev enviroment have PHP 5.4 and production server have only version 5.3.3-7.

So i had error: Unable to Generate Hash....

I solved it this way:

1. On localhost logged as admin

2. Changed file Password.php

from

public function supportsBlowfish() {
        return version_compare(PHP_VERSION, '5.3.0') >= 0 && defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH;
    }
 

to

public function supportsBlowfish() {
        /* HOSTING FIX */
        return version_compare(PHP_VERSION, '5.4.0') >= 0 && defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH;
    }
 

3. Changed admin password in users setup

4. Copied new values from local DB table field_pass (data,salt) to production DB.

This WORKAROUND fixed login problem.

Looks like we need better check in Password.php

Share this post


Link to post
Share on other sites

Blowfish hashing was added to PHP in 5.3, so any version 5.3 and newer supports it. However, a security problem was found in versions of PHP 5.3 prior to 5.3.7, so they fixed it. Newer versions of PHP are still compatible with the old, but versions prior to 5.3.7 are not compatible with passwords generated on newer versions of PHP. Since your host is using PHP 5.3.3, this is likely why you ran into an issue. But a commercial hosting provider should probably not be using a PHP version earlier than 5.3.7 due to that security issue. So the workaround is probably not a good idea since it is circumventing that. I strongly recommend asking your host to upgrade the PHP version.

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By jploch
      Hey folks,
      Iam working on a new Admin Theme, based on AdminThemeReno, which I would like to release for the public soon.
      Now I want to style the login page to fit the look and feel of the backend.

      After some research, I found out that I have to set the "$config->defaultAdminTheme = 'AdminThemeName' " inside my site config.php file to load all the styles from my admin theme on the login page instead of the default ones.
      Is it possible to set this via api from my Admin Theme settings, without the need of editing the config file?
       
    • By DanielKit
      Hi. I'm currently stuck at the login page in my project. Once I enter my admin username and my password and press login, nothing happens. The page just reloads. However, the URL changes from http://myipaddress/processwire to http://myipaddress/processwire/?login=1. I've checked all of my server settings, and to my knowledge, all seems to be fine there. I don't know where to go from here.. Thanks in advance!
    • By modifiedcontent
      Small annoyance: I get a horizontal scrollbar in UIkit admin area - or actually Admin Theme Boss based on Uikit 3. I tried to fix it with CSS, but had trouble isolating/targeting it and don't want to mess with module or core files. I think this issue has been reported before. Is there a recommended fix? 
    • By FireWire
      Hey all. I'm having an issue with the new custom page classes feature which is a fantastic tool.
      I am running into a recursion issue when attempting to call a custom page class. I have a class called BlogPostPage.php (for blog-post.php) which contains a method called getSummary(). That method gets a summary field or truncates the body in it's absence. I've attached photos of the template code, custom page class code (which I've simplified for testing), and the PW output error.
      There is no recursion in the getSummary() method. This error occurs whether I output multiple blog posts in a loop or if I output one blog post with no looping in my template code.

      In use:
      ProcessWire 3.0.164 dev
      PHP 7.3.13

      I am also using the Template Engine Twig module which has not caused any errors or issues thus far.
      Many thanks!



×
×
  • Create New...