YAFLogo

Posted by: tecman - Friday, 3 November 2017 12:18:13
I can't login using my admin's username and password after upgrading to the v2.2.4.4. Is it a known issue? I also tried to use the Lost Password function. It asked me the security question, but my answer was not accepted. Fortunately, I am logged in in another browser, so I still can login to our forum there. I wanted to change the answer to security question, but I couldn't find this section in my forum profile. Can you help me with that?

Posted by: tha_watcha - Friday, 3 November 2017 16:28:57
[quote=tecman;70756]I can't login using my admin's username and password after upgrading to the v2.2.4.4. Is it a known issue? I also tried to use the Lost Password function. It asked me the security question, but my answer was not accepted. Fortunately, I am logged in in another browser, so I still can login to our forum there. I wanted to change the answer to security question, but I couldn't find this section in my forum profile. Can you help me with that?[/quote] From which version did you upgrade? Did you override your old web.config?

Posted by: tecman - Friday, 3 November 2017 16:46:34
I upgraded from the v 2.2.3.0. As always, I added my personal settings to the fresh web.config from the full install package manually to use the latest version of web.config.

Posted by: tecman - Friday, 3 November 2017 17:09:28
I've managed to reset my password using the browser in which I was logged in. Can you also tell me how I can change the security question and answer to it? Where can I find this user setting? Is it available at all after completing the registration?

Posted by: tha_watcha - Friday, 3 November 2017 17:49:26
[quote=tecman;70760]I upgraded from the v 2.2.3.0. As always, I added my personal settings to the fresh web.config from the full install package manually to use the latest version of web.config.[/quote] Why did you use the full package, there is an upgrade package? I assume you override your machine key. That would be the reason why you cant login

Posted by: tecman - Saturday, 4 November 2017 10:34:32
Can you tell me more about this machine key? As for the upgrade process I am using, I have been doing this from early times when I started to use YAF. Something went wrong with the upgrade first times, so I decided to do it manually using the full package. Add to this that I also fix some problems in original aspx files and do some personal settings in CSS every time before uploading the new version to the server. Bump #2. Any chance to get answer to the following question? [quote]Can you also tell me how I can change the security question and answer to it? Where can I find this user setting? Is it available at all after completing the registration?[/quote]

Posted by: tha_watcha - Saturday, 4 November 2017 14:53:46
[quote=tecman;70767]Can you tell me more about this machine key? As for the upgrade process I am using, I have been doing this from early times when I started to use YAF. Something went wrong with the upgrade first times, so I decided to do it manually using the full package. Add to this that I also fix some problems in original aspx files and do some personal settings in CSS every time before uploading the new version to the server. Bump #2. Any chance to get answer to the following question? [quote]Can you also tell me how I can change the security question and answer to it? Where can I find this user setting? Is it available at all after completing the registration?[/quote][/quote] the security question, answer, password and password salt are saved in the [b]yaf_prov_Membership[/b] table but all are stored encrypted via the machine key.

Posted by: tecman - Monday, 6 November 2017 16:16:40
You wrote that I could override the machine key. Can you tell me more about it? Does it mean that if I upgrade the way I described, all other users of my forum will also have login problems like me? Is there a related documentation I can read? BTW, when I upgrade the way I do, I never change any specific setting in the forum .config files. I imply that this machine key is something related to the web-server (server name, OS version, something else) and not a thing coded in the .config files. With that said, I simply can't change this machine key with my actions! As for the security question, ok, I understand that they are saved in a coded form in the db. However, if I have access to my account and can change almost anything in my profile, why can't I change the security question?? I would be glad if I could overwrite it with a new question/answer pair. Is it possible?

Posted by: tha_watcha - Tuesday, 7 November 2017 09:28:01
[quote=tecman;70772]You wrote that I could override the machine key. Can you tell me more about it? Does it mean that if I upgrade the way I described, all other users of my forum will also have login problems like me? Is there a related documentation I can read? BTW, when I upgrade the way I do, I never change any specific setting in the forum .config files. I imply that this machine key is something related to the web-server (server name, OS version, something else) and not a thing coded in the .config files. With that said, I simply can't change this machine key with my actions![/quote] The machine key is really important it encrypts the password, the security question and answer and also the viewstate of the page. The Install Instructions of the forums contains how to set up a machine key for the site. Do you have the old web.config before you upgrade, to check if the machine key was set in the web.config? If the machine key was not set, I changed the hashAlgorithm for the encryption in the new web.config for new Installs. So you might need to check the membership connection string [quote=tecman;70772] As for the security question, ok, I understand that they are saved in a coded form in the db. However, if I have access to my account and can change almost anything in my profile, why can't I change the security question?? I would be glad if I could overwrite it with a new question/answer pair. Is it possible?[/quote] The Password and the Security Question/Answer are all stored encrypted via the machinekey. The only way to overwrite it directly in the db is to generate a new one via the API or you create a new user with the password and Security Question/Answer and you copy over the hashed entries from that user to your user account.

Posted by: tecman - Tuesday, 7 November 2017 17:28:22
Please, give me a link and/or tell me where I can find detailed information about the installation process and this machine key. I compared the recommended.web.config from the v2.2.3 and 2.2.4.4 installation packages and found this node. As I see, I have never changed its validationKey and decryptionKey attributes. The whole node is even commented out! [quote]If the machine key was not set, I changed the hashAlgorithm for the encryption in the new web.config for new Installs. So you might need to check the membership connection string[/quote] Where can I find this membership connection string? [quote]The Password and the Security Question/Answer are all stored encrypted via the machinekey. The only way to overwrite it directly in the db is to generate a new one via the API [/quote] Why can't we do that in the interface??

Posted by: tha_watcha - Tuesday, 7 November 2017 17:46:37
[quote=tecman;70785]Please, give me a link and/or tell me where I can find detailed information about the installation process and this machine key. [/quote] In the documenation https://github.com/YAFNET/YAFNET/wiki/Installation [quote=tecman;70785] [quote]If the machine key was not set, I changed the hashAlgorithm for the encryption in the new web.config for new Installs. So you might need to check the membership connection string[/quote] Where can I find this membership connection string?[/quote] Sorry i forgot to mention, it is also in the web.config [quote=tecman;70785] [quote]The Password and the Security Question/Answer are all stored encrypted via the machinekey. The only way to overwrite it directly in the db is to generate a new one via the API [/quote] Why can't we do that in the interface??[/quote] Yes thats a good question, i add it to my to do list

Posted by: tecman - Tuesday, 7 November 2017 17:55:12
Even after reading the installation instructions using the provided link, I confirm again that I never changed the machine key hard-coded in the web.config files I have. Do you want to say that I could not log in because a security algorithm has changed since the v2.2.3?

Posted by: tha_watcha - Tuesday, 7 November 2017 18:05:25
[quote=tecman;70787]Even after reading the installation instructions using the provided link, I confirm again that I never changed the machine key hard-coded in the web.config files I have. Do you want to say that I could not log in because a security algorithm has changed since the v2.2.3?[/quote] But did you change the membership connection string? you would only need to change it back then you can log in again

Posted by: tecman - Tuesday, 7 November 2017 18:12:50
Are we talking about the membership node from web.config? In the v2.2.3 installation package it was In the v2.2.4.4 it is I guess, this is the diff that caused the problem?

Posted by: tha_watcha - Tuesday, 7 November 2017 18:25:16
Yes looks like the problem.

Posted by: tecman - Tuesday, 7 November 2017 18:37:10
As I understand, this also affects all other forum user, not only me - right? Ok, I will try to return to the previous version of the string tomorrow. Or maybe, there is no need to do that if I already solved the problem with my login? Wait until a forum user reports the problem with their login?

Posted by: tha_watcha - Wednesday, 8 November 2017 01:07:08
Yes of course this affects all users.

Posted by: tecman - Wednesday, 8 November 2017 16:28:53
I changed the hashAlgorithmType back to SHA1 and was able to reset my password using the old security question. Now I know that I must not change this parameter in the future upgrades ;) Is there any big benefit in using the new SHA256 hash algorithm? And is it bad that I did not set a personal machine key for our forum when I initially established it? As I understand, now I need to live with the current security settings as they are "till the very end" and never change them in the future.

Posted by: tha_watcha - Wednesday, 8 November 2017 18:31:43
SHA256 is more Secure then SHA1, but still you are safe to use the old hash algorithm. Only when you switch to a different server it's a problem not to set a machine key