Password Reset Help

Permalink 2 users found helpful
Yesterday upgraded a site to 5.7 and it went fairly well, got some of the content back in place and started to find my way around.

This morning I tried to login and I my password would not work. I used the "Forgot Password" link and it has not sent me an email. Any thoughts on how I could reset my password would be appreciated.


View Replies:
digitaris replied on at Permalink Reply
NOTE: This technique is designed for those who have a working knowledge of editing PHP files and using an FTP server, and is intended as an emergency-only solution.

Concrete 5.7x uses a different approach to generating hashed password values, so password recovery techniques used for version 5.6x and prior won't work (with the exception of accessing mail server logs, provided you have such access). In order to reset a password using a technique that bypasses the standard reset options (e.g. the "Forgot Password" link on the login page), we need to use a page that is wired up with the appropriate classes that make our job easier and that utilize the new hash method. This guide uses the login.php page as its container page because this page that is always available to users who have not logged in, whether a public site or a members-only site.

This approach will help you recover your site access in the event you can't remember and recover your password, such as when your site's mail server isn't sending the password reset emails. In fact, this solution can help you reset a password for any known user ID, if needed, so it's understandably dangerous in the wrong hands. You will need file-level, read/write access on the host server using FTP to implement this solution.

**IMPORTANT - Remember to remove this code from your login.php page immediately after gaining site access to prevent unauthorized access or viewing of your credentials, and to prevent repeat password resets.**

**Summary of Steps:**

Modify the login.php page to execute code to reset the specified user ID. You will want to use the override technique to make this change so you don't change the core files.

Change the two variable values in the script that identify the target known user ID and the new password.

Upload the changed file to your site's override folder location.

Using a browser, open the site's login page, which will immediately execute the password reset code.

Verify site access for the user by logging in to your site using the reset credentials.

Delete the override file or remove the inserted code if modifying an existing override file and verify the login.php page works without displaying any password reset message.

**Detailed steps:**
To begin, using your preferred FTP client, you will want to locate the current login.php page being used on your site. First, check your override folder named /application/single_pages/ and if you find a login.php file there you will want to download and modify this file (the override version filename, if it exists, will be "/application/single_pages/login.php"). If you don't find the login.php file in the overrides folder, then download the core login.php page found in /concrete/single_pages/ folder (the core filename is "/concrete/single_pages/login.php"). For the less technical users, I strongly suggest you make a copy of this file and store it safely, should you need to revert to the original.

Open the downloaded login.php file in your preferred editor, then copy the code below from the "== Start password reset ==" line to "== Finish password reset ==" line and insert the copied code immediately below the opening ?php tag found on the first line of the login.php file:

//========== Start password reset ==============
    // IMPORTANT!! - Remember to delete this section when you have completed the password change!
    use User as ConcreteUser;
    use UserInfo as ConcreteUserInfo;
    use View as ConcreteView;
    use \Hautelook\Phpass\PasswordHash;
    $reset_userID = 1;  //this userID will be an integer value > 0
    $new_password = '1234';  //must have a value...null is not allowed, and only one or more spaces are not allowed!
    if(is_null($new_password)) {
          echo 'Password Reset Error - A null password is not allowed!';
    } else {
       if(strlen(trim($new_password)) > 0){
          $ui = ConcreteUserInfo::getByID($reset_userID);
          if (is_object($ui)) {

Locate the line that reads "$reset_userID = 1" and modify the "1" value in the script, if needed, to match the User ID you wish to change. The default value is "1" which represents the default "admin" user created during a standard Concrete5 installation.

Modify the value in the script for the variable named "$new_password = " to contain the desired password. The default value is "1234" and whatever value you enter should be a string, so remember to enclose it in single quotes (e.g. $new_password = '1234') . A null password or an empty string, including just spaces, is not allowed and will generate an error when the script executes.

Save the modified login.php file and upload it to your website server and place the file in the overrides folder named **/application/single_pages** (filename and location will be "/application/single_pages/login.php").

Open your site's login page:http://[site_domain]/index.php/login...
This will immediately execute the password reset script, and if successful you will see a notification to that effect. Any indicated error will require you to change the script and re-upload the login.php file and then re-open the login page.

Possible error messages:
The script will display an error if you enter an invalid User ID. Enter a valid User ID > 0. Remember, the default "admin" user has a User ID of **1**.
The script will display an error if you enter an empty string for the password ("" or ''), or if you only enter one or more spaces, or if you assign a null value to the password. Use a simple password, then once you gain site access, use the change password feature available in the User section of the Dashboard to create a more secure password.

If you receive a successful message, verify you can login using the username and password indicated on the page.

Assuming you are now able to login, its time to reverse your changes. If you downloaded and edited a login.php file found in your overrides folder, then remember to immediately remove the code you pasted into the original login.php page, and re-upload the cleaned file to your overrides folder (overwrite the file found at "/application/single_pages/login.php"). If you downloaded the login.php from the core folder, then simply delete the file you uploaded into the overrides folder (delete the file named "/application/single_pages/login.php").

After making this final change to remove the password reset code, please verify that your login page displays without showing any password reset messages.
zanedev replied on at Permalink Reply
Thanks worked for me!
ViktorNova replied on at Permalink Reply
This works great! Thank you so much for creating this.