LuxCal Forum

The place for questions, suggestions and news about the LuxCal Event Calendar

User:   Password:   Remember Me?   
LuxCal Forum / General / Problems / Two passwords stored for one admin user
Posted:  01 Mar 2016 03:49
I mistakenly hit Send new password on my LuxCal login screen.  A new password was sent.  The new password and my old password both let me into the admin user account.

I entered into the User settings and assigned the old password to my admin account.  Both the new and the old password allow me to login to the admin account. 

How do I get LuxCal to retain one and only one password per user account?

Mark L
Saginaw Michigan
Posted:  01 Mar 2016 20:14
Hi Mark,

When a user selects Send new password, LuxCal keeps the old 'forgotten' password, just in case the user all of a sudden remembers the old password. And indeed, thereafter both the old and the new password can be used to log in.
This mechanism was put in place long time ago and nobody ever reported this as a problem.
Now, giving this a second thought, it would maybe be better to automatically delete the previous password, if available, once the new password is used.
I will see what I can do.
Posted:  02 Mar 2016 01:09   Last Edited By: ml48603

The new password is by necessity mailed "unprotected" "exposed" and is now available to anyone, as it is stored on many mailservers.  In the past when I have forgotten a password, I login with the "exposed" password and change it immediately so that criminals viewing emails on mailservers do not have a good password to get into my account.

So for users other than the main admin user, the only mechanism luxcal offers is to create a new user account and assign a new password.  Then delete the old user account.  I see that a similar process cannot be used for the admin account, as the main "admin" user account cannot be deleted

I looked in MySQL table calN_users and saw two password fields password and tpassword.  I deleted the value contained in tpassword and the reset password that was sent to me no longer lets admin login the site.
Posted:  03 Mar 2016 17:11
Hi Mark,

I've updated the login script as follows:
When a users asks for a new password, the new password and old 'forgotten' password can both be used to login.
However, once the user logs in, with either password, the other password will be automatically deleted.

So, to get rid of the second password, there is no need anymore to create a new user account.

If you're interested, I can send you the updated file by email.