After the hash update, the function bin2hex(random_bytes(40)); generates a string of 80 characters, because the database field only accepts 40 characters, the value is truncated.
The user when requesting the password recovery, receives the email satisfactorily, but with the 80 character string.
The Problem
After the hash update, the function
bin2hex(random_bytes(40));
generates a string of 80 characters, because the database field only accepts 40 characters, the value is truncated.The user when requesting the password recovery, receives the email satisfactorily, but with the 80 character string.
localhost/login/verifypasswordreset/1/4d7b5b4cc077adae773ef4113a86b69d71ff6a002cab392d7deda38e5fc6728b90ff7b3e8997e95d
When the user clicks on the link, the platform compares the data received versus the data stored, they do not match and the system returns an error
"FEEDBACK_PASSWORD_RESET_COMBINATION_DOES_NOT_EXIST"
The problem also occurs when creating new accounts
localhost/register/verify/3/0cb0af07af231472b66598585a05a854355d70a7a8bbaeaf0c1ac0ab6df4d76dc7050e36899654bd
"FEEDBACK_ACCOUNT_ACTIVATION_FAILED"
https://www.writephponline.com
echo bin2hex(random_bytes(40));
== 80 CHAR
Solution
In order not to reduce the security offered by a long hash, the user_password_reset_hash AND user_activation_hash field is increased by 80 characters,
panique/huge product is a system that has finished shutting down, please check all functions before making updates.
A big hug