Jump to content

Recommended Posts

I got an email from an existing registered customer saying:

 

"Your order page will not accept my user name or pass word.I can`t place my order and I can`t register a new account.I just want to buy a CD."

 

I reset the customer's password and tested this and true enough, when logging in to their account using the storede email address and password, I get this error:

 

The following errors were detected:

  • Invalid Username and/or Password

 

 

 

This is a serious issue, can anyone help please?

 

 

 

Link to post
Share on other sites

Please check the database via phpMyAdmin to see if the current customer data did update properly. I assume this is a customer from when you were using v4?

 

Indeed he is. I am slightly familiar with phpmyadmin but only for exporting and backing up, could you please explain how I would check the customer data has updated and what to do if not.

Link to post
Share on other sites

Well, that's not as simple as I had thought it would be. The password is encrypted in some way and has a salt value as well - not something I understand. But you could look to see if this customer has a very long password value and if there is a salt value listed. I think you may find that some of your oldest customers do not have a salt value. Our database goes back to v3 and early ones don't.

 

Search the CubeCart_customer table, with email LIKE the email address you want.



Ah - just found this in an old thread -

 

SOLVED.

Removed the salt altogether through phpmyadmin.
Then created a new password through Admin backend.
Seems to have solved the problem.

 

 

Link to post
Share on other sites

 

Ah - just found this in an old thread -

 

SOLVED.

Removed the salt altogether through phpmyadmin.

Then created a new password through Admin backend.

Seems to have solved the problem.

 

 

 

I have no idea what salt value is. I have already changed the password in the admin CP while I was testing.

 

So I still don't really know what to do. It's beginning to make me feel like I should ditch Cubecart and get something else, I am losing sales. And this isn't the first time this has happened. The last time I just sent the customer a paypal invoice and apologise for the store not working properly.

 

Link to post
Share on other sites

Go to phpMyAdmin to the CubeCart_customer table and click on the Search choice in that row. Then put the customer's email address in the email row. Scroll down to the GO button. When it pulls up the entry, double click in the salt entry and delete it and save.

 

Then go into Admin and re-create a password.

 

As far as this customer goes, I, too, just create a PP invoice and then try to figure out what happened, rather than delay the sale. We have very few repeat customers due to our type of inventory, so this hasn't been an issue for us. But if you DO get a lot of repeat business, obviously this is going to be a problem for you. Hopefully Bsmither will be along soon with a better solution.

Link to post
Share on other sites

Go to phpMyAdmin to the CubeCart_customer table and click on the Search choice in that row. Then put the customer's email address in the email row. Scroll down to the GO button. When it pulls up the entry, double click in the salt entry and delete it and save.

 

Then go into Admin and re-create a password.

 

As far as this customer goes, I, too, just create a PP invoice and then try to figure out what happened, rather than delay the sale. We have very few repeat customers due to our type of inventory, so this hasn't been an issue for us. But if you DO get a lot of repeat business, obviously this is going to be a problem for you. Hopefully Bsmither will be along soon with a better solution.

Thanks, that worked a treat. (I think) At least I can now log in as him, just waiting to see if the customer can buy something

Link to post
Share on other sites

You'd better check a few more of your older customers, particularly if you have no reason to think they would buy from you again, to see if you can change THEIR password and use their login without having to do all this for each.

 

Hopefully that was an anomaly and all will be well. If not, you're going to need help from someone like Bsmither.

 

Good luck!!!

Link to post
Share on other sites

You'd better check a few more of your older customers, particularly if you have no reason to think they would buy from you again,

 

Do you mean "particularly if you have a reason to think they would buy from you again" ?

 

I think I have to assume anybody might buy from me again so this is a bit of a worry. I will check a few at random.

Link to post
Share on other sites

Well, my thinking was you might know, because of what you sell, who would be likely to repeat and who would not. If you change passwords on a good customer you will need to write them and tell them what you did - a non-repeat customer not such a problem. Just convoluted thinking, I guess.

 

If you have some good previous customers who won't mind helping you out, maybe you could just ask them to try to login and see what happens. Then they won't be surprised if you changed their passwords,

Link to post
Share on other sites

"I reset the customer's password and tested this and true enough, when logging in to their account using the stored email address and password, I get this error."

 

Using phpMyAdmin, please report the parameters of the CubeCart_customer table, the 'salt', 'password', and 'new_password' columns.

 

Here is what they should be now:

salt: VARCHAR(32) NULL

password: VARCHAR(128) NULL

new_password: TINYINT(1) DEFAULT 1

 

In CC430, the 'salt' column was added, but was only VARCHAR(6). In CC500b1, that was changed to VARCHAR(32). In CC500b6, the new_password column was added and the password column was changed to VARCHAR(128).

Link to post
Share on other sites

"I reset the customer's password and tested this and true enough, when logging in to their account using the stored email address and password, I get this error."

 

Using phpMyAdmin, please report the parameters of the CubeCart_customer table, the 'salt', 'password', and 'new_password' columns.

 

Here is what they should be now:

salt: VARCHAR(32) NULL

password: VARCHAR(128) NULL

new_password: TINYINT(1) DEFAULT 1

 

In CC430, the 'salt' column was added, but was only VARCHAR(6). In CC500b1, that was changed to VARCHAR(32). In CC500b6, the new_password column was added and the password column was changed to VARCHAR(128).

 

Thanks very much, but can you explain in phpmyadmin beginner's steps

 

e.g. I don't know what report means.

 

I solved the one customer issue by deleting the salt as advised by Dirty Butter, however it would be good to know that it won't happen again.

 

And it would be good to do it without changing existing customers password

Link to post
Share on other sites

Go to your cpanel from your host, choose phpMyAdmin, and click on the STRUCTURE choice on the CubeCart_customer row. You'll see the parameters for each column in that table. Bsmither needs you to list what you now see in the salt, password, and new password entries.

Link to post
Share on other sites

Would you happen to have a backup of your CC5 database from last week?

 

You are one of the few CC5 users who have upgraded from CC3, so please forgive us if it seems we are tasking you to assist us in figuring this out when, truly, you just want a solution.

 

If you have a backup, find the customer's record (who caused you to initiated this thread) and I would like to know the values of just a few columns:

password: is the value 32 characters or something else

salt: is the value 'null', six characters, or eight characters

new_password: is the value 0 or 1

status: 0 or 1

type: 0, 1, or 2

Link to post
Share on other sites

Would you happen to have a backup of your CC5 database from last week?

 

You are one of the few CC5 users who have upgraded from CC3, so please forgive us if it seems we are tasking you to assist us in figuring this out when, truly, you just want a solution.

 

If you have a backup, find the customer's record (who caused you to initiated this thread) and I would like to know the values of just a few columns:

password: is the value 32 characters or something else

salt: is the value 'null', six characters, or eight characters

new_password: is the value 0 or 1

status: 0 or 1

type: 0, 1, or 2

 

 

Password wasmany more than 32 , seems to be 128

 

was 8 characters

 

New password is 1

 

Status is 1

 

type is 1

Link to post
Share on other sites

Then this customer had (attempted, at least) to log-in prior to the 18th, which, during that attempt, CubeCart 5 upgraded his password from the CC3 encoding to the CC5 encoding. But it still should have worked.

Link to post
Share on other sites

Then this customer had (attempted, at least) to log-in prior to the 18th, which, during that attempt, CubeCart 5 upgraded his password from the CC3 encoding to the CC5 encoding. But it still should have worked.

Ok, but at one stage after he contacted me I changed his password in the admin section and attempted to log in as him, and still got the error.

Link to post
Share on other sites

Ok, so that customer's record was of no help. We need to find a customer's record that still has the CC3 encoding -- no salt and 32 character hash.

 

Would there possibly be an old CC3 test account that you know the password to? (Don't try to log in to it until I give you some instructions.)

 

(There was an account such as that in one of my databases. I was able to trace the program flow.)

 

Neither can we positively rule out the possibility that the customer had exceeded the failed log in attempts. Once 'blocked', three bugs will have CubeCart say the user/pass is not valid (when it should say the user is blocked). One of the bugs seems to suggest that even one bad login attempt will block any further attempts for ten minutes. You are supposed to get five attempts (entering bad login info) before being blocked. Then, once blocked, and then if you enter good login info, you are supposed to be told you are being blocked, please try again later.

 

If you look in CubeCart_access_log, those attempts might still be in there. Records older than about 25 days are purged.

 

Again, this does not answer the question as to why the admin, having changed the password, could not log in as the customer, unless the first attempt (by the admin) also muffed it.

Link to post
Share on other sites

It's in phpMyAdin - probably your first table in your database.

Yrs, of course I was thinking it was in Cubecart.

OK, I can see a lot of Ns, but most look like bots or spammers: eg Aeugnf, OceagoMeedo, Jbagsfdnalsf

 

But there are also a few legit users denied access,

Link to post
Share on other sites

That's what mine looks like, too. I've never been in that table before. Can you tell if a legitimate looking one tried more than three times to login, rather than using the forgot password link? If you do, they blocked themselves as CC should have, although I'm not sure if CC provides a warning about that to the customer or not.

Link to post
Share on other sites

"I'm sure I have a test account of my own that i started back in v3, but have forgotten the password though presumably I can use the retrieve password form to find it."

 

I haven't worked through the code for the "Forgot Password?" on the store front. I fear it may want to create a CC5 encoded password, and that would defeat what I want to try. (Or, this feature may be what is causing the problem!)

 

EDIT:

Just now worked through the code. Requesting a password reset does not convert an existing password encoding. But when following through (the recovery phase), it does.

 

Keep in mind that CubeCart does not store the actual password, but rather a hash representation of it that cannot be un-encoded. The 'retrieve password' form, as you put it, does not retrieve the password, but instead starts the process of allowing the customer to specify a new password to use.

 

In phpMyAdmin, you can filter for only the records where a column has a certain value. So, among all the 'spam' and robots in the access table, there will be the '[email protected]' username (email) we are looking for.

 

"there are also a few legit users denied access"

 

Do these records have a salt? A 32 or 128 character password?

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...