Invalid username or password after migrating

Hello,

Our users can no longer access the system since we migrated from version 2024 to 2025. Access is controlled by a user table in the database. We have never used the password hashing options; we only performed validation in the User_CustomValidate event as follows:

function User_CustomValidate(&$usr, &$pwd) 
{
    $pwd = md5("something"); 

    return false;
}

I know this is not the correct way to protect passwords, but I have to follow orders…

I have already performed the following tests:

  • I changed the user’s password to plain text and enabled the hashing option. The system allows access the first time, updates the database with the hash, but when trying to log in again, the password is no longer accepted. I believe I need to validate the hash on the next login attempt, but I don’t know where to insert the code.

  • I manually modified the Login.php script to force md5, but the isAuthenticated() event (which is not present in the 2024 script) always returns false.

I have also tried some other less relevant tests, but none worked.

I’m out of ideas. Could anyone help me? Thanks in advance.

You should not use User_CustomValidate server event to authenticate users. If you use simple md5 only, you should disable the follows:

You should also remove your User_CustomValidate server event.

When it works, you should enable Migrate password algorithm to automatically migrate your passwords to better algoithm.

Hello, thanks for your reply.

Hashed password and Case-sensitive password were always disabled. I have already removed the User_CustomValidate server event.

I tried enabling Migrate password algorithm and logging in by pasting the MD5 password into the password field. I was able to log in successfully, but the password was then updated in the database to the migrated algorithm, preventing me from logging in a second time.

I also tried changing my password to plain text in the database, but the same issue occurred: Successful login → Password is changed to the migrated algorithm → Subsequent login attempts fail.

  1. Make sure your password field size is large enough for the new (longer) passwords.
  2. Logout explicitly first, then login again, or remove cookies from your browser to make sure it is not affected by old cookies.

I created a test database and it worked. After contacting the database admin it seems the issue is in fact the field size.

Thank you for your help.