Login cookies blocked after customizing hashing method

wordpress.stackexchange https://wordpress.stackexchange.com/questions/384030

I get the following error when trying to login:

Error: Cookies are blocked due to unexpected output.
enter image description here

I customized the wordpress core functions wp_hash_password() and wp_check_password() to use SHA1 algorithm for user authentification instead of MD5. I modified them in the pluggable.php file (not best practice but good for testing). The functions now look like this:

function wp_hash_password( $password ) {
            global $wp_hasher;

            if ( empty( $wp_hasher ) ) {
                    $wp_hasher = sha1( $password );
            }

            return $wp_hasher->HashPassword( trim( $password ) );;
    }


function wp_check_password( $password, $hash, $user_id = '' ) {
            global $wp_hasher;
            // If the hash is still md5...
            if ( strlen( $hash ) == 40 ) {
                    echo '<h2>'.$hash.'</h2>';
                    $check = hash_equals( $hash, sha1( $password ) );
                    if ( $check && $user_id ) {
                            // Rehash using new hash.
                            wp_set_password( $password, $user_id );
                            $hash = wp_hash_password( $password );
                    }

                    /**
                     * Filters whether the plaintext password matches the encrypted password.
                     *
                     * @since 2.5.0
                     *
                     * @param bool       $check    Whether the passwords match.
                     * @param string     $password The plaintext password.
                     * @param string     $hash     The hashed password.
                     * @param string|int $user_id  User ID. Can be empty.
                     */
                    return apply_filters( 'check_password', $check, $password, $hash, $user_id );
            }

            // If the stored hash is longer than an MD5,
            // presume the new style phpass portable hash.
            if ( empty( $wp_hasher ) ) {
                    require_once ABSPATH . WPINC . '/class-phpass.php';
                    // By default, use the portable hash from phpass.
                    $wp_hasher = new PasswordHash( 8, true );
            }

            $check = $wp_hasher->CheckPassword( $password, $hash );

            /** This filter is documented in wp-includes/pluggable.php */
            return apply_filters( 'check_password', $check, $password, $hash, $user_id );
    }

The conversion from password to SHA1 works perfectly aswell as the password check. I think a function responsible for setting the cookie is still using MD5. But I can't verify and can't find the function.
Does anyone has an idea on this?

Thanks in advance
Jan

有帮助吗?

解决方案

This line (at least) is being output before the cookie can be set:

echo '<h2>'.$hash.'</h2>';

Sending output to the screen (even empty lines) will prevent cookies being set.

From the PHP docs:

Like other headers, cookies must be sent before any output from your script (this is a protocol restriction). This requires that you place calls to this function prior to any output, including <html> and <head> tags as well as any whitespace.

许可以下: CC-BY-SA归因
scroll top