I get the following error when trying to login:
Error: Cookies are blocked due to unexpected output.
I customized the wordpress core functions wp_hash_password() and wp_check_password() to use SHA1 algorithm for user authentification instead of MD5. I modified them in the pluggable.php file (not best practice but good for testing). The functions now look like this:
function wp_hash_password( $password ) {
global $wp_hasher;
if ( empty( $wp_hasher ) ) {
$wp_hasher = sha1( $password );
}
return $wp_hasher->HashPassword( trim( $password ) );;
}
function wp_check_password( $password, $hash, $user_id = '' ) {
global $wp_hasher;
// If the hash is still md5...
if ( strlen( $hash ) == 40 ) {
echo '<h2>'.$hash.'</h2>';
$check = hash_equals( $hash, sha1( $password ) );
if ( $check && $user_id ) {
// Rehash using new hash.
wp_set_password( $password, $user_id );
$hash = wp_hash_password( $password );
}
/**
* Filters whether the plaintext password matches the encrypted password.
*
* @since 2.5.0
*
* @param bool $check Whether the passwords match.
* @param string $password The plaintext password.
* @param string $hash The hashed password.
* @param string|int $user_id User ID. Can be empty.
*/
return apply_filters( 'check_password', $check, $password, $hash, $user_id );
}
// If the stored hash is longer than an MD5,
// presume the new style phpass portable hash.
if ( empty( $wp_hasher ) ) {
require_once ABSPATH . WPINC . '/class-phpass.php';
// By default, use the portable hash from phpass.
$wp_hasher = new PasswordHash( 8, true );
}
$check = $wp_hasher->CheckPassword( $password, $hash );
/** This filter is documented in wp-includes/pluggable.php */
return apply_filters( 'check_password', $check, $password, $hash, $user_id );
}
The conversion from password to SHA1 works perfectly aswell as the password check. I think a function responsible for setting the cookie is still using MD5. But I can’t verify and can’t find the function.
Does anyone has an idea on this?
Thanks in advance
Jan
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
This line (at least) is being output before the cookie can be set:
echo '<h2>'.$hash.'</h2>';
Sending output to the screen (even empty lines) will prevent cookies being set.
From the PHP docs:
Like other headers, cookies must be sent before any output from your
script (this is a protocol restriction). This requires that you place
calls to this function prior to any output, including<html>and
<head>tags as well as any whitespace.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0