[SOLVED] Customer login problem on seperate websites using same database

[nzrobert]

Please help!

I have successfully managed to get 2 websites operating on one back end, but i have an issue with a customer logging in to his / her account on either of the 2 websites.

One website seems to allow access to the "my account" area, but the other website says authentication failed.

I didnt think this would be a problem because we are using 1 database for both websites.

Are the passwords created on registration using a specific key when they are created and therefore only work on that website?

If this is the case, where can i change it so that the encryption of the passwords are identical on both websites? So that an account created on www.site1.com will also allow the customer to login to site2.com using the same login details.

I am only assuming this is what is happening.

Any other suggestions are welcome.

Please help!

[nzrobert]

I have solved this issue,

The problem was that each website was integrating their own _COOKIE_KEY_ with each password when they are created, reset or changed.

Website A's _COOKIE_KEY_ will never match the _COOKIE_KEY_ of Website B, thats why you can't login to the same account from 2 different websites.

While i have probably comprimised the security a little with this change, this is what i did.

I changed 2 files (classes/Customer.php and classes/Tools.php)

Changed classes/Customer.php :

AND `email` = \''.pSQL($email).'\''.(isset($passwd) ? 'AND `passwd` = \''.md5(pSQL(_COOKIE_KEY_.$passwd)).'\'

To:

AND `email` = \''.pSQL($email).'\''.(isset($passwd) ? 'AND `passwd` = \''.md5($passwd).'\'

and changed classes/Tools.php:

return md5(pSQL(_COOKIE_KEY_.$passwd));

To:

return md5($passwd);

on all websites involved. This effectively removed the integration of the cookie key with the passwords when they are created, reset of changed. I now have 2 websites, with one admin where customers can log in using the same details into each website.

[Radu]

sorry to ask, what's the reason to have 2 identical websites?

[nzrobert]

The main reason to have more than one website is to target different search engine keywords, on a per region basis.

I.E www.redshoes.co.uk (would rank better for "red shoes" in the UK than www.redshoes.co.nz would) but, i also want to rank is say the US, EUROPE, JAPAN for the same seach term, so i have more than one domain name, running the same products.

Careful doing this, ensure that your content is not duplicated across your websites, as this will possibly drop your website out fo the search engines.

Cheers

[Radu]

Interesting, thank you for your message.

[Pippo3000]

While i have probably comprimised the security a little with this change, this is what i did.

hi, I would like to bump your own question you raised in the security forum: how big is there security impact by these code changes you made? Anybody here who can give an answer?

Reason I ask is that I every once in a while face the same problem at my shop, well my customers do actually. having them reset the password does not help. what does (seem to) help is if I set a new password for them in BO, just happened 10 mins ago with a customer who could not login.

Interestingly enough I am NOT aware of any database changes and / or imports except that I added new products yesterday. But that should not trigger a authentication failed error, should it? But I am wondering how many customers try to login, get the error and revert to another shop instead of letting me know the issue...

phil

[Radu]

Pippo3000 don't worry about the security impact. If someone steals your database (not easy) it will take him a little less to break some of your customer passwords (the weak ones and the ones from the dictionary)

nzrobert, why you didn't just change the cookie key from config/settings.inc.php to be the same for all your websites?