[Resolved] Automated Login-Cubecart 6

[spike210957]

Hi All,

I have a website that requires members to Login but then so does the CubeCart Shop.  Is there an out of the box way of having an integrated login?

 

kind regards

 

Spike

[spike210957]

Ok so that's a nyet then.  So when my user changes their password($password) I'm trying to synchronise cubecart_customer like this:

require_once('store/classes/password.class.php');

$mypassword = password::getInstance();
      
$ccsalt = $mypassword->createSalt();
      
$ccpassword = $mypassword->getSalted($password, $ccsalt);
      
$updsql1 = "update cubecart_customer set password ='" . $ccpassword . "', salt='" . $ccsalt . "' where email = '" . $email . "';";
      

Everything is updating properly but when I try to login to the Store with $email and $password I'm getting invalid username or password.  

 

Can anyone shed some light?

 

thanks

 

Spike

[bsmither]

Cubecart uses a caching mechanism for SELECT queries. The case could be that even after sending the UPDATE query, the SELECT query is pulling the results from the cache.

So, you may need to also mimic Cubecart's Cache class function to clear the SQL cache:

$files = glob($path_to_cache.'*.sql.*.cache', GLOB_NOSORT);
if (is_array($files)) {
	foreach ($files as $file) {
		if(file_exists($file)) {
			@unlink($file);
		}
	}
}
clearstatcache();

You can make a simple test: in CubeCart's admin, disable the Cache feature (admin, Store Settings, Advanced tab). Then see if the updated customer record can authenticate. Also, make sure the updated customer record has '1' for the 'new_password' column.

[spike210957]

Worth a shout but the cache was disabled in my store by default I think.

I'm seeing something else that I don't understand.  If I manually reset the password like this:

update cubecart_customer set password = 'willow', salt = null, new_password=1 where email = '[email protected]';

And I can see the password as plain text in cubecart_customer.

Then I login with 'willow' as the password and I see that the password has been encrypted in cubecart_customer and a salt value added.  So All good.

But I log out and am unable to log back in again with the same password/email.

 

Edited January 5, 2016 by spike210957

[bsmither]

You are close.

CubeCart goes through these steps:

0. Value in the 'password' column is already MD5 hashed.
1. Is there a salt? No, must be a CC3 level password. Make it a salty CC4 password (make salt, hash password and salt). Goto 1.
2. Yes, there is a salt. Is 'new_password" = 1? No, must be a salty CC4 level password. Try to authenticate and will make password extra salty later.
3. Yes, 'new_password' = 1. Must be an extra salty CC5/6 level password. Run POSTed password through extra salty algorithm. Try to authenticate.

So, the initial step of putting 'willow' as the CC3 level password is the first misunderstanding. The password in the database must be MD5 hashed. CubeCart believes "willow" to be the hashed password.

Then, having salt = null but new_password = 1 is a faulty combination.

"Then I login with 'willow' as the password"

I'll have to trace the code with this scenario. I believe logging in with 'willow' as the password in the database should not be possible.

[spike210957]

Excellent!  So this sorts out the manual update:

update cubecart_customer set password = md5('willow'), salt = '', new_password=0 where email = '[email protected]';

and indeed this works if I plug it into my site password change page.

Thanks so much for you help

[harrisorganic]

Following on from this topic  I asked CC some time ago about logging in with Facebook or other social media logins so that it is easier for customers to login. I hope it is available as a plugin soon.