View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006072 | Composr | core_cns | public | 2024-11-27 21:48 | 2025-01-03 17:47 |
| Reporter | Patrick Schmalstig | Assigned To | Patrick Schmalstig | ||
| Severity | Feature-request | ||||
| Status | resolved | Resolution | fixed | ||
| Product Version | 11.beta6 | ||||
| Fixed in Version | |||||
| Summary | 0006072: If the password ratchet is changed, update member passwords when they next log in | ||||
| Description | "It is impossible to retroactively upgrade old password hashes, or to retroactively downgrade password hash complexity if you set it too high – unless you force users to change their passwords." This statement is not entirely true. When a member logs in, we can gather what the ratchet was when hashing a member's password by looking at the hash itself. And then we can compare it to the site ratchet. If they are not equal, and we know the member's password because they just attempted a log-in (so we have their input in plain text), we can re-hash their password in the database after verifying with the old hash. This is ideal for enhanced security without always having to force password resets. | ||||
| Tags | Roadmap: v11, Type: Security | ||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
|
|
Automated response: If the password ratchet is changed, update member passwords when they next log in This patch introduces automatic re-hashing of passwords when the ratchet is changed (on the next time a member logs in). |
|
|
Fixed in Git commit 68915af4f1 (https://gitlab.com/composr-foundation/composr/commit/68915af4f1 - link will become active once code pushed to GitLab) |
|
|
hotfix-6072, 2025-01-03 5pm.tar (42,496 bytes) |
|
|
A hotfix (a TAR of files to upload) has been uploaded to this issue. Only apply this hotfix if you absolutely need it and cannot wait until the next release of Composr (releases are more reliable and strictly tested). As of Composr version 11, the recommended way to apply a hotfix is by following the same steps as an upgrade (https://baseurl/upgrader.php, use the hotfix on the step “Transfer across new/updated files”). The upgrader will automatically skip files belonging to addons you do not have installed or that are newer on disk than in the hotfix. Otherwise, you can manually extract and replace these files (do not replace if your on-disk file is newer than the one in the hotfix). Always take backups of your site or at least files you are replacing before applying a hotfix. Not sure how to extract TAR files to your Windows computer? Try 7-zip (http://www.7-zip.org/). |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-11-27 21:48 | Patrick Schmalstig | New Issue | |
| 2024-11-27 21:48 | Patrick Schmalstig | Tag Attached: Roadmap: v11 | |
| 2024-11-27 21:48 | Patrick Schmalstig | Tag Attached: Type: Security |
