Our users can no longer access the system since we migrated from version 2024 to 2025. Access is controlled by a user table in the database. We have never used the password hashing options; we only performed validation in the User_CustomValidate event as follows:
function User_CustomValidate(&$usr, &$pwd)
{
$pwd = md5("something");
return false;
}
I know this is not the correct way to protect passwords, but I have to follow orders…
I have already performed the following tests:
I changed the user’s password to plain text and enabled the hashing option. The system allows access the first time, updates the database with the hash, but when trying to log in again, the password is no longer accepted. I believe I need to validate the hash on the next login attempt, but I don’t know where to insert the code.
I manually modified the Login.php script to force md5, but the isAuthenticated() event (which is not present in the 2024 script) always returns false.
I have also tried some other less relevant tests, but none worked.
I’m out of ideas. Could anyone help me? Thanks in advance.
Hashed password and Case-sensitive password were always disabled. I have already removed the User_CustomValidate server event.
I tried enabling Migrate password algorithm and logging in by pasting the MD5 password into the password field. I was able to log in successfully, but the password was then updated in the database to the migrated algorithm, preventing me from logging in a second time.
I also tried changing my password to plain text in the database, but the same issue occurred: Successful login → Password is changed to the migrated algorithm → Subsequent login attempts fail.