Problems to login with 1.0.9 version

[effi]

Hello,
As in the french forum, it seems to be here the same problem to login
I try to sign as a webmaster cannot come in
i pushed the button lost password, and i get another password, tried again and nothing came

Some of the people of my client have the same problem and there is 25% mail adress registered, but no website, because they couldn' enter to add their own websites, no message whether the identification or password do not match not the same characters.

in the french forum i posted some bug report ansd there is several answers

some people try to enter with www if they do it is no www in database and it doesnt work (or the inverse) -->so you MUST write a htaccess to transform the url.

there was trouble with missing messages i gave to you in javascript section of languages files.

if you choose the option confirm by mail, YOU MUST upgrade the template with arf recommendations for template and language section

and it seems there is another problem . we encounter there !!!


Any idea to fix the problem ?

[ping]

sometimes you cant remember your password and the "recover password" is not working (mail config or something with htaccess), so here's what i did:
1) create a dummy acount with password 1234
2) go to the phpmyadmin, your_table, arfooo_users then just copy the password code (i think its md5) to the user you want to change the password, so it changes to 1234
i'm sure there are other ways but this is so simple ;P

more tips (.htaccess)
# domain.com TO www.domain.com
RewriteCond %{http_host} ^YOURDOMAIN.com [NC]
RewriteRule ^(.*)$ http://www.YOURDOMAIN.com/$1 [R=301,L]

# to avoid duplicate content (SEO) if you have multiple domains pointing to just one directory
RewriteCond %{HTTP_HOST} ^www.domain222.net$[OR]
RewriteCond %{HTTP_HOST} ^domain222.net$
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L]

[effi]

hello Ping,
The login problem is not mine but webmasters who sign in but couldn't enter : the login page refresh allways
and it is 25% of webmasters with an email adress but no website
, so there is a problem somewhere
perhaps only a problem of matching low or high typing characters, but i am not enough good in programming to add a message !

i think the problem is there inthe javascript/webmaster/loginfunction.js

Code: Select all

   var onRegisterSuccess = function (ajaxObj)
    {
      var response = ajaxObj.parseJSON();
       
      if(response.registered)
      {
         $('webmasterInscriptionBlockHeader').hide();
         $('webmasterInscriptionBlockContent').hide();
         alert(successMessage);
           
         loginForm.email.focus();
         loginForm.email.select();
      }
      else
      {
         if(inscriptionForm.publicCode)
         {
                CaptchaCode.replaceCaptchaImage(inscriptionForm.publicCode.value, inscriptionForm);   
            alert(response.message);
                 alert(notSuccessMessage);
         }
           
         inscriptionForm.privateCode.focus();
         inscriptionForm.privateCode.select();
      }
    }
   
    ajax.set("onSuccess", onRegisterSuccess.handler(this))       
    ajax.post(setting.registerUrl);
   
   return false;
}

or in AjaxFormSubmitter.js

Code: Select all

   switch(response.status)
        {
            case "ok":
               
                alert(response.message);
               
                if(response.refresh)
                {
                    window.location.reload(false);
                }
               
                if(response.redirectUrl)
                {
                    window.location = response.redirectUrl;
                }
                 
                break;
           


[saidbakr]

Hello,

Till this time I have not deeply analysed the problem. However, according to your suggestion that relates the problem to JavaScript's files *.js, I may suggest to try login using another web browser.

If really, the problem related to Javascript, this will mean it is a client side dependent problem, so using of another browser may mean a temporary solution.

++++++++++++++++
Again! I have just made an initial analysis for the problem and it may be due to a scurity bug!.
The lost password mechanism follows a wrong behavior. It is just requires the user email supplied to the field and then the password is automatically changed, then it will be sent to your email. In this case, if your email service provider works fine, the email sent with your new password may be got lost! This simply means that, anyone are able to partially hijack the user's account by knowing his registered email and so prevent him to log in his account.

I've done an experminet using two emails addresses one is uses gmail.com and the other uses yalla.com. Ofcourse gmail is the best and powerful than yalla.com, so I have received the email with the new password and everything go well, but the yalla.com, lost the email!.

The lost password mechanism should be changed, to be, there is no any change to the password without user's confirmation code.

At current time I have no enough background about the script or even skills to do such modification, We just need to ask Arf to cover it among the incoming version or releasing a batch for it.