FrootSnax Posted July 5, 2019 Report Share Posted July 5, 2019 (edited) One of the functions of the registration web application I'm building for my servers allows a user to change their password through the application, but during my testing I've seen some really weird behavior: The new 'sha_pass_hash' gets updated to appropriately reflect the value the user chose for their new password, and it allows them to log into the web application fine, but from within the 3.3.5a client, their old password is the one that still authenticates them successfully. At first I thought the old passwords were kept in memory somewhere, but I had power-cycled the VM running TrinityCore and the database and the behavior is persistent. My application doesn't store credentials in memory either, the most I do is serialize the 'username' and 'id' columns from 'auth.account' into a timed JWT that I use on my front-end for seamless navigation through the app without forcing the user to do basic HTTP authentication everytime an API endpoint is called. I was also wondering if this had something to do with the 'sessionkey' columns, however I can't find any description in the documentation about what those hashes are and if it's safe to clear them. Some code, for reference (The back-end for this is a REST API written in Python with Flask and Flask-SQLAlchemy): SQLAlchemy model for the 'account' table Authentication logic The 'update password' function Edited July 5, 2019 by FrootSnax Link to comment Share on other sites More sharing options...
Shauren Posted July 7, 2019 Report Share Posted July 7, 2019 You should either use SOAP from your website to connect to running worldserver and send .accont set password comand (preferred) or just clear s and v fields from auth.account (this method might go away in undetermined future) Link to comment Share on other sites More sharing options...
Recommended Posts