Password migration from 1.4 to 1.6

mirroring · July 3, 2017

Hi to all, I have a shop in PrestaShop 1.4, the expert that should do the migration to 1.6 says to me that I don't have the cookie_key setted in my actual shop and if we want to add in the 1.6 to improve security all the customers password will be "lost" and they have to do the "password forget" procedure.

It's true? There is a way to mantain the same password adding this cookie_key in the new shop?

Thanks to everyone

bellini13 · July 4, 2017

why are you doing a migration to 1.6, instead of doing an upgrade to 1.6?

If you do a migration, which means you are transferring your stores information from one store to another store, then yes passwords will be an issue.

If you do an upgrade, which means you are upgrading your existing stores version to a new version, then no passwords will not be an issue.

mirroring · July 4, 2017

Thanks for your answer, if I do an upgrade and we'll set this cookie_key my "old" customers are be able to login with the same password?

bellini13 · July 5, 2017

if you do an upgrade, the cookie key will not change so customers will be able to log into the site using their existing password.

mirroring · July 6, 2017

if you do an upgrade, the cookie key will not change so customers will be able to log into the site using their existing password.

Maybe I was not clear, In my current shop this cookie_key is not set. If I do an upgrade this cookie_key still remain unset? Right?

bellini13 · July 6, 2017

why is the cookie key "not set" in your existing store?

You said you are using PS v1.4, and the cookie key would exist in the settings.inc.php file, otherwise I would expect your existing store not to be functional.

mirroring · July 18, 2017

Sorry, but I don't know why, my previous web developer made all, installation and customization, etc etc.

This is my actual settings.inc.php (a snippet)

define('_COOKIE_KEY_', '');
define('_COOKIE_IV_', 'xxxxxxxx');
define('_RIJNDAEL_KEY_', 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
define('_RIJNDAEL_IV_', 'xxxxxxxxxxxxxxxxxxxxxxx==');
define('_PS_VERSION_', '1.4.11.0');

bellini13 · July 18, 2017

then perhaps you should go back to your previous developer. It appears they have removed the cookie key value. perhaps you have a backup of this file from before your upgrade?

mirroring · July 19, 2017

then perhaps you should go back to your previous developer. It appears they have removed the cookie key value. perhaps you have a backup of this file from before your upgrade?

Which upgrade? I'm still on ps 1.4

bellini13 · July 19, 2017

You said...

Sorry, but I don't know why, my previous web developer made all, installation and customization, etc etc.

And I suggest that you should go back to your previous developer and find out what they did and why. Even in PS v1.4, the cookie key should have a value.

bestcoding.net · July 20, 2017

Without having a cookie key set, after the upgrade, clients will still be able to log in.

But the key should be set for security.

This can be fixed without losing passwords by old customers.

Old customers will log in using an empty cookie key, but after logging in, their password will be re-encrypted using the new cookie key.

To introduce such change, you have to commission it to a programmer.

Edited July 20, 2017 by bestcoding.net (see edit history)

El Patron · July 20, 2017

the cookie key etc. is set, i.e. xxx's.

you should download your shop to your computer then run scans on those fields too see if dev changed the code to use another key

bellini13 · July 20, 2017

The cookie key value is empty, not xxx

define('_COOKIE_KEY_', '');

mirroring · July 21, 2017

Thanks to all.

The cookie key value is empty, not xxx
define('_COOKIE_KEY_', '');

As said from bellini13, the _COOKIE_KEY_ is empty, and other values aren't 'xxxx', I've changed the values to post here the snippet.

And I suggest that you should go back to your previous developer and find out what they did and why. Even in PS v1.4, the cookie key should have a value.

At the moment, it's impossible to ask him.

Without having a cookie key set, after the upgrade, clients will still be able to log in.

But the key should be set for security.

This can be fixed without losing passwords by old customers.

Old customers will log in using an empty cookie key, but after logging in, their password will be re-encrypted using the new cookie key.

To introduce such change, you have to commission it to a programmer.

The key should be set, is the same thing that said my new programmer.

Thanks for the tip, I'll talk with him for this solution

bellini13 · July 21, 2017

This can be fixed without losing passwords by old customers.

I'm not sure this is a true statement... at least not without introducing custom code that attempts to validate the password without the cookie key first, and if it fails, then trying it with the new cookie key.

Password migration from 1.4 to 1.6

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in