Sudden Admin login issue

[DrByte]

Click the Reply button below, or the Quick Reply button. That will open a box where you can write your post. And IN THE TOP OF THAT BOX is a big section of bulleted points on things to include in your post ... and the title of that box is aptly named "Posting Tips".

[weif]

Thanks DrByte. The header of that box is not visible when the reply box opens, so the header is not apparent.


What version of Zen Cart are you using?

1.5.1


Has your site been upgraded?

No

What plugins/addons have you installed? When? If your problems are payment-related, what payment module(s) are you using? If it's shipping-related, which shipping module(s) are you using?


Image Handler 4

HOW did you install Zen Cart? (upload via FTP and run zc_install, or a one-click install from your hosting company? (one-click installs might mean you don't have enough information about your site/server to make customizations easily))

unzip, upload, run zc_install

What version of PHP and MySQL is your server using? (See Admin->Tools->Server Info)

PHP Version: 5.3.5 (Zend: 2.3.0)
Database: MySQL 5.1.54

WHEN did the problem "start"? How does that compare with other events of your hosting company, changes you've made to your site files/addons, or your admin settings, etc?

Problem started sometime between 6:50pm Mountain time Friday, March 15, 2013 and 11:15am Mountain time Monday, March 18, 2013.

If this is your first store, have you tested all aspects of transactions before going live?

This is the third store I have worked with. There are two others on the same hardware (one 1.5.1 and 1.3.9) that do not have this problem. This issue only came up on the newest store.

In what ways is your site customized or different from a brand new uncustomized install?

Only a template for the store and the image handler plugin.

Please post your site URL* so we can take a look at it. This is especially important if you're encountering display/layout problems, so the problem can be seen directly.

Do you really need this? - the issue is admin login related (and I REALLY don't want to give out the admin login URL), and the store owner isn't ready to push the site out yet - she wants to get more of her products listed before going live. Also, the issue appears to be resolved by deleting and re-creating the affected admin account.


If you're encountering problems that could be related to your server or hosting company, include the name of your hosting company (not their URL).

Other Zen-Cart sites on the same server - and even other admin users on this store were not affected.

HAVE YOU LOOKED IN THE FAQ AREA for answers to your question? (ie: a search for your error message or what you want to edit/change, etc)

Yes.

Have you searched the FORUM for your error message or for answers to the question you're asking?

Yes. That's how I found this seemingly related thread.

[DrByte]

Your prior post said that you resolved it by deleting the admin user and creating a new one? Do the symptoms continue to persist now? Does it affect all the admins equally?
The person whose post you added yours onto said that their symptoms affected the storefront end as well. Did that happen to you?

[weif]

Your prior post said that you resolved it by deleting the admin user and creating a new one? Do the symptoms continue to persist now? Does it affect all the admins equally?

No, as I mentioned, it only affected one admin account.

The deletion of the account and creation of a new account *seems* to have corrected the issue. However, changing the password did not, nor did changing the username. Logging in to this one account (or attempting to, at least) resulted in the login page reloading. This was tested on three different computers, and with Chrome, Firefox, and Internet Explorer on Windows 7 and on FreeBSD (well, obviously IE was not tested on FreeBSD). On two of the computers used for testing, other admin accounts could log in.

The person whose post you added yours onto said that their symptoms affected the storefront end as well. Did that happen to you?

There are only two customer accounts, and both of these are able to log in.

[lhungil]

I know I've run into issues when an Admin User uses the "forgot my password" form and either does not receive the email. In this case, until the reset_token expires, changing the password manually using another admin account appears to have little effect. After going into phpmyadmin or similar and removing the "reset_token" from the affected user account, the password reset from the admin interface works.

I suppose the easiest way to handle this case might be to correct the user's email address and then they can probably just call the "forgot my password" form again - but I've just gone in and removed the reset_token the handful of times I have seen this case occur.

I've also seen similar symptoms when an Admin User forgets their password and triggers an account lockout... Until the lockout period expires, even if the password is manually reset by another admin account, the affected Admin User account cannot login.

[DrByte]

I know I've run into issues when an Admin User uses the "forgot my password" form and either does not receive the email. In this case, until the reset_token expires, changing the password manually using another admin account appears to have little effect. After going into phpmyadmin or similar and removing the "reset_token" from the affected user account, the password reset from the admin interface works.

I suppose the easiest way to handle this case might be to correct the user's email address and then they can probably just call the "forgot my password" form again - but I've just gone in and removed the reset_token the handful of times I have seen this case occur.

I've also seen similar symptoms when an Admin User forgets their password and triggers an account lockout... Until the lockout period expires, even if the password is manually reset by another admin account, the affected Admin User account cannot login.

Perhaps it might be good to file a bug report explaining these symptoms. Also, you used the word "either" in your first sentence but didn't finish the thought which it implied. Further, the whole reason for the reset-token is specifically so that if the email is not received that the original password will still indeed work, unlike prior versions where the password was immediately changed to whatever was in the email and then the account became totally useless without the email. The system doesn't currently consider unlocking things by another administrator; that could be an oversight which needs addressing.

[lhungil]

... you used the word "either" in your first sentence but didn't finish the thought ...

Forgot to remove the word "either" when previewing / editing before posting

A) did not receive the email B) the wrong email was listed in Zen Cart for the account C) email went to spam / junk D) Email subsystem turned off E) Email misconfiguration

... the whole reason for the reset-token is specifically so that if the email is not received that the original password will still indeed work, unlike prior versions where the password was immediately changed to whatever was in the email and then the account became totally useless without the email. The system doesn't currently consider unlocking things by another administrator; that could be an oversight which needs addressing.

I do like the new reset_token in 1.5 - and I believe it is also configured out of box to force the user to change the password if they use the reset_token (I'd have to take a deeper look at the code, but this is what I remember the last time i used the password_forgotten form).

I consider the enforced password change a nice security feature. Far too many people think unencrypted email is a safe method for transmitting passwords days!

When I get some time, I plan to look at the code in more detail and post something in "Code Suggestions".