Symptom: Unable to login with new password after using Ecshop to retrieve password and reset new password
Analysis results:
Ecshop password in principle using one-time MD5 encryption, when registering a new user after successful observation database password field, is indeed the MD5 value
And when the user first landed, Ecshop did a very good action, to determine whether the user data row exists Ec_salt, if not exist then generate a ec_salt and rewrite the password !
That is, the password you wrote to the database when you registered and the password value changed after logging in. When you log in later, use the Ec_salt value and the Post's password for two MD5 encryption to verify
The trick is that when you use a password to retrieve it, it simply resets the password field to a one-time MD5, note that the value Ec_salt already exists
The user uses the new password, the old Ec_salt (salt encryption method) carries on the login, WTF, certainly cannot log in
Workaround:
Ben didn't plan to look at the bottom of the program, just includes/modules/integrates/ecshop.php line 170, adding, ec_salt= '
Force reset Ec_salt on its login ....
ECSHOP Retrieve password cannot be used