Cannot change passwords after site migration

By pgplast - December 4, 2022

I recently moved the data from a long-existing site to a new, re-designed site. The site uses WebsiteMembership plugin to manage membership accounts. Happily, most things are working.

However, I have found that no users are able to update their passwords using the prescribed mechanism, (see below).

Whenever one tries to do so, the system returns, "Current password isn't correct!"

The accounts table was recreated on the new server and users are able to log in with their existing passwords. However, no one can edit a password since the existing passwords are not recognized as the "oldPassword" by the system

Can anyone help??

Thanks.

-------

### Change Password
if (@$_POST['changePassword']) {
$encryptPasswords = @$SETTINGS['advanced']['encryptPasswords'];

// error checking
$_REQUEST['oldPassword'] = preg_replace("/^\s+|\s+$/s", '', @$_REQUEST['oldPassword']); // v1.10 remove leading and trailing whitespace
$oldPasswordHash = $encryptPasswords ? getPasswordDigest(@$_REQUEST['oldPassword']) : @$_REQUEST['oldPassword'];
if (!@$_REQUEST['oldPassword']) { $errorsAndAlerts .= "Please enter your current password<br/>\n"; }
elseif ($oldPasswordHash != $CURRENT_USER['password']) { $errorsAndAlerts .= "Current password isn't correct!<br/>\n"; }
$newPasswordErrors = getNewPasswordErrors(@$_REQUEST['newPassword1'], @$_REQUEST['newPassword2'], $CURRENT_USER['username']); // v2.52
$errorsAndAlerts .= nl2br(htmlencode($newPasswordErrors));
// pmg: let sput the unencrypted password in as well
$non_encrypted_password = @$_REQUEST['newPassword2'];
// change password
if (!$errorsAndAlerts) {
$passwordHash = $encryptPasswords ? getPasswordDigest($_REQUEST['newPassword2']) : $_REQUEST['newPassword2'];
mysql_update( accountsTable(), $CURRENT_USER['num'], null, array('password' => $passwordHash)); // update password
/// now the non-encrypted one
mysql_update( accountsTable(), $CURRENT_USER['num'], null, array('non_encrypted_password' => $non_encrypted_password)); // update non-encrypted password
websiteLogin_setLoginTo( $CURRENT_USER['username'], $_REQUEST['newPassword2'] ); // update current login session
unset($_REQUEST['oldPassword'], $_REQUEST['newPassword1'], $_REQUEST['newPassword2']); // clear form password fields
$errorsAndAlerts = "Thanks, we've updated your password!<br/>\n";
}
} ### END: Change Password

By pgplast - December 4, 2022

BTW:

This is not just a problem with old migrated accounts, but also with new ones in on the new server.

When new userts sign up and are taken to the profile page, they cannot update their passwords.

Thanks for this, Dave. (Respomnded earlier by email)