Upgrade from 150 to 154 did not change passwords in DB to $2Y format

[spyderrobotics]

I have tried this a couple of times now. Here is the procedure I am doing and maybe someone can point out what I am doing wrong:

Create a new DB in cpanel.
Install fresh 154 to a new folder pointed at the new db.
rename admin and zc_install
Log into admin panel to make sure everything is working.
rename admin and zc_install back
use phpmyadmin to import old database over the top of zencart defaults
Run zc_install again and choose to upgrade the database.

These four options were already checked:
Upgrade DB from 1.5.0 to 1.5.1
Upgrade DB from 1.5.1 to 1.5.2
Upgrade DB from 1.5.2 to 1.5.3
Upgrade DB from 1.5.3 to 1.5.4

Put in the old zc admin/password and click updatedatabase now.
It returns some errors because it finds columns and configuration keys that already exist.

If I look at the db in phpmyadmin the passwords are all still the old format. If I try to log into a customer account it tells me the password is wrong. If I generate a new account it creates a password with the $2Y format and all is good.

Any idea how I can get it to upgrade the passwords so that customers don't have to reset their password?

[DrByte]

If I look at the db in phpmyadmin the passwords are all still the old format.

That's normal.
It converts the password only when the user actually logs in.

Any idea how I can get it to upgrade the passwords so that customers don't have to reset their password?

It can't convert it without having the original password. The hash that's in the database is NOT the password, and is always only used to compare the hash of the actual password being entered at login. But during login, if they enter the password correctly then it will upgrade the password to the new format.

If I generate a new account it creates a password with the $2Y format and all is good.

That's normal.

If I try to log into a customer account it tells me the password is wrong.

Assuming all the v154 files are present and in the appropriate folders, and the files related to password handling haven't been altered in any way and no old leftover files from a prior version are interfering, then it should be able to generate a passing hash to validate the old-format password, assuming the correct password is supplied.
Prior to PHP 5.5 the hashing logic is handled by a "shim" library. What PHP version are you using?

[spyderrobotics]

I just recreated this again. I think the previous exceptions were because I was trying to upgrade a 2nd time. This time I dropped everything in the db and imported the old database and ran the zc_install just like before. It recognizes it as a 150 db. I perform the upgrade and there are no exceptions this time. Customer passwords are still the old format and cannot be logged into. No exceptions in the db upgrade_exceptions and the log that it generated all looks fine.

[spyderrobotics]

Just got your response. When I click the check php version button in the zc_install it shows 5.6.16.

[spyderrobotics]

This is a fresh copy of 154 with no alterations. I can create a new account and its is able to log in and out. Any accounts that were in the database however give " Error: Sorry, there is no match for that email address and/or password." I have several test accounts of my own in there so I know what the passwords are. I can go to my currently live site that has that database and log in and out with those same passwords. I appreciate your time and thoughts!

[DrByte]

While v155 isn't quite ready for release (but will be soon), can I get you to try the same using the v155 code? You can download the beta here: https://github.com/zencart/zencart/archive/v155.zip

Do the same problems persist in v155 when you follow the same steps?

[DrByte]

1. In v154 the files involved are:
/includes/functions/password_funcs.php was changed considerably
/includes/functions/password_compat.php was also changed considerably
/includes/classes/class.zcPassword.php is new
/includes/classes/vendors/password_compat-master/lib/password.php
/includes/auto_loaders/config.core.php should have the code in it to instantiate class.zcPassword.
But, in fairness, if the new passwords are working, that suggests all the code is in the right places (except perhaps the 2 includes/functions/ files)

2. I know you said the password hashes weren't upgraded, and don't have the 2Y prefix. Can you post one of those password hashes here? And confirm that it is indeed unchanged from before the upgrade. (as opposed to getting altered to a different non-2Y-prefix format)

3. Do you have any serverside enhancements installed, such as suhosin?