Login cookies blocked after customizing hashing method

wordpress.stackexchange https://wordpress.stackexchange.com/questions/384030

Question

I get the following error when trying to login:

Error: Cookies are blocked due to unexpected output.
enter image description here

I customized the wordpress core functions wp_hash_password() and wp_check_password() to use SHA1 algorithm for user authentification instead of MD5. I modified them in the pluggable.php file (not best practice but good for testing). The functions now look like this:

function wp_hash_password( $password ) {
            global $wp_hasher;

            if ( empty( $wp_hasher ) ) {
                    $wp_hasher = sha1( $password );
            }

            return $wp_hasher->HashPassword( trim( $password ) );;
    }


function wp_check_password( $password, $hash, $user_id = '' ) {
            global $wp_hasher;
            // If the hash is still md5...
            if ( strlen( $hash ) == 40 ) {
                    echo '<h2>'.$hash.'</h2>';
                    $check = hash_equals( $hash, sha1( $password ) );
                    if ( $check && $user_id ) {
                            // Rehash using new hash.
                            wp_set_password( $password, $user_id );
                            $hash = wp_hash_password( $password );
                    }

                    /**
                     * Filters whether the plaintext password matches the encrypted password.
                     *
                     * @since 2.5.0
                     *
                     * @param bool       $check    Whether the passwords match.
                     * @param string     $password The plaintext password.
                     * @param string     $hash     The hashed password.
                     * @param string|int $user_id  User ID. Can be empty.
                     */
                    return apply_filters( 'check_password', $check, $password, $hash, $user_id );
            }

            // If the stored hash is longer than an MD5,
            // presume the new style phpass portable hash.
            if ( empty( $wp_hasher ) ) {
                    require_once ABSPATH . WPINC . '/class-phpass.php';
                    // By default, use the portable hash from phpass.
                    $wp_hasher = new PasswordHash( 8, true );
            }

            $check = $wp_hasher->CheckPassword( $password, $hash );

            /** This filter is documented in wp-includes/pluggable.php */
            return apply_filters( 'check_password', $check, $password, $hash, $user_id );
    }

The conversion from password to SHA1 works perfectly aswell as the password check. I think a function responsible for setting the cookie is still using MD5. But I can't verify and can't find the function.
Does anyone has an idea on this?

Thanks in advance
Jan

Était-ce utile?

La solution

This line (at least) is being output before the cookie can be set:

echo '<h2>'.$hash.'</h2>';

Sending output to the screen (even empty lines) will prevent cookies being set.

From the PHP docs:

Like other headers, cookies must be sent before any output from your script (this is a protocol restriction). This requires that you place calls to this function prior to any output, including <html> and <head> tags as well as any whitespace.

Licencié sous: CC-BY-SA avec attribution
Non affilié à wordpress.stackexchange
scroll top