the secure PHP framework


set_password error in 6.6

29 october 2019, 03:40
Hello Hugo,

I am finally getting around to trying 6.6 and had trouble getting into the cms. I am using PHP 7.3.8 and ran into the following two things (2nd is just a warning)...

1) PHP Warning: password_hash() expects parameter 2 to be int, string given in /var/www/banshee/database/set_password on line 40 (I changed the $username parameter to a "1" and that seems to have fixed it.)

2) PHP Warning: Use of undefined constant PASSWORD_ARGON2I - assumed 'PASSWORD_ARGON2I' (this will throw an Error in a future version of PHP) in /var/www/banshee/libraries/core/banshee.php on line 17 (I commented this line out in mine, I am assuming this line is no longer needed.)
Hugo Leisink
29 october 2019, 09:58
1) Weird. The second parameter is the constant PASSWORD_ALGORITHM, which is set in libraries/core/banshee.php.

2) Also weird. Try setting quotes around PASSWORD_ARGON2I. What OS do you use?
2 november 2019, 02:12
In item one, having the second parameter as $username outputs nothing but having a 1 outputs a hash of about 59 characters. Also not mentioned before is that typing the same password multiple times produces different hashes. On a previous Banshee version, using the same password over and over always gave the same hash. Don't know if that is what is to be expected with Argon2I

In item two, having the quotes produces no complaints.

I am using Linux -- Fatdog64-802
4 november 2019, 03:35
While trying to create a new user through CMS, I got the following error...
"=> password_hash() expects parameter 2 to be int, string given
line 231 in /var/www/banshee/models/cms/user.php
SQL query: insert into `users` (`id`, `organisation_id`, `username`, `password`, `one_time_key`, `cert_serial`, `status`, `authenticator_secret`, `fullname`, `email`) values (null, '1', 'Name', null, null, null, '2', null, 'Name Example', '')
Error message: Column 'password' cannot be null"

In line 231 of that file, I replaced PASSWORD_ALGORITHM with 1. I was then able to create a user, login, logout, and log back in. Don't know if that is the correct secure way but I got better results than before.
Hugo Leisink
4 november 2019, 09:16
This is all too weird. I guess something else is going wrong. Does your system support the Argon2 algorithm? What is the output of the following command?
php -r 'print PASSWORD_ARGON2I."\n";'

At my system, the output is '2', the value of that constant.
4 november 2019, 19:57
Tried real quick this morning before leaving for work. Got the missing quotes error as above. When I added quotes, I got no output, similar to what happens when forgetting to include a semi-colon.

I'll try again later.
Hugo Leisink
5 november 2019, 00:00
Looks like your system doesn't support Argon2. Try replacing PASSWORD_ARGON2I with PASSWORD_BCRYPT (without quotes) in libraries/banshee/core/banshee.php. You then need to reset your passwords (via the set_password script) of course, because the algorithm changed.
5 november 2019, 01:46
I think I'll try investigating why my system doesn't support it. I'll let you know what I find. Since I have control over it, I should be able to fix it if I find the cause.
5 november 2019, 06:35
I installed libargon2 from my package manager. It turns out that argon2 is not included in php by default so when compiling, we have to do --with-password-argon2 which I have now done.

If I can get php to actually use my libargon, I will be able to use PASSWORD_ARGON2ID since that upgrade is available as of 7.3.

Thanks for your help!
Message preview

The following BB-codes are available in a message:

  • [b]Bold text[/b]
  • [center]Center text or imagen[/center]
  • [color=color name or #RGB code]Colored text[/color]
  • [i]Italic text[/i]
  • [img]Link to image[/img]
  • [right]Align text or image right[/right]
  • [s]Strike-through text[/s]
  • [size=pixelsize]Big or small text[/size]
  • [u]Underlined text[/u]
  • [url]Link to website[/url]
  • [url=link to website]Link text[/url]