2008-12-30 12:40:00
My custom login script from my website to atutor 1.6.1 was working BUT after i upgraded to atutor 1.6.2 the following custom script stopped working. Please help
script language="JavaScript" src="sha-1factory.js" type="text/javascript"></script>
function encrypt_password() {
document.form1.form_password_hidden.value = hex_sha1(document.form1.form_password.value);
document.form1.form_password.value = "";
return true;
}
2008-12-30 13:56:52
See the theme changelog
http://wiki.atutor.ca/display/atutorwiki/Themes+Change+Log
2008-12-30 14:19:22
Greg,
I am not expert in sessions. I am calling the atutor sigin code from html in a different server. I looked at the Atutor demo code and saw you hard coded the session ID.
Assuming that is the only difference, it still does not work for me.
Any eloboration on this issue would be much appreciated.
Thanks.
2008-12-31 06:39:44
Hi there!
The original 1.6.1 contained a security weakness which was later fixed with patch 0007 and eliminated as of 1.6.2. You were probably using unpatched 1.6.1, thus the problem after upgrading.
To fix that in your custom script, you should replace the line reading:
document.form.form_password_hidden.value = hex_sha1(document.form.form_password.value);
With:
document.form.form_password_hidden.value = hex_sha1(hex_sha1(document.form.form_password.value) + "< ?php echo $_SESSION['token']; ? >");
(without spaces inside opening and closing PHP tags (between "<" and "?php", and "?" and ">")).
For more information please refer to the description of patch 0007 in a 1.6.1 installation, if you have one available, or to http://update.atutor.ca/patch/1_6_1/1_6_1-6/patch.xml .
Hope that helps.
Happy New Year everyone!
[reply][b]In reply to:[/b]
My custom login script from my website to atutor 1.6.1 was working BUT after i upgraded to atutor 1.6.2 the following custom script stopped working. Please help
script language="JavaScript" src=...
[op]forums/view.php?fid=7;pid=16165;page=1#16165[/op][/reply]