Changes to password hashes

The method of hashing passwords has changed (previously, MD5 hashing was used before bcrypt; this was very insecure). As such, please note the following implications:

- If you have password change days set, Composr will not (correctly) check against past passwords members used prior to 11.beta1. So members will be able to use a prior password if they used it before you upgraded to 11.beta2.

• Also, Composr will only check the most recent 10 passwords a member used from now on.

- For security, the salts and hashes in f_password_history will no longer be the same as what was set in f_members (but they will still match whatever passwords were used).
- Passwords in f_members using the old hashing will be accepted but updated automatically to the new and more secure hashing the next time a member logs in or changes their password. As such, members should still be able to log in despite this change.
- This change does not affect the maintenance password in _config.php

Please report any issues to the tracker if you encounter any.

Changes to cookies

To make cookies more secure, by default Composr adds the __Secure- prefix to the user_cookie and pass_cookie name… and the __Host- prefix to the session_cookie name. We highly recommend adding these prefixes in if you define cookie names in _config.php (Composr will not do this automatically if you have them defined in _config.php). Composr will automatically account for your server environment when using these special prefixes. For example, if you define __Secure- in the name but are not running on HTTPS, Composr will not use that prefix on the cookie name. If you are not using HTTPS, you have a cookie domain set, or your path is not /, then Composr will automatically ignore the __Host- prefix.

Please report any issues to the tracker if you encounter any.

Changes to crypt.php

Generally no action is needed for this. But 11 beta2 changes how crypt is used. Session IDs now use base32 (numbers and lowercase letters except 0, 1, l, and o). Cookie log-in uses a much more secure/complex base64 string. And new site installs have a much more secure / randomised site salt. The use of md5 hashing is also removed in crypt because it is very insecure and negates the point of cryptographic security / randomness.

Please report any issues to the tracker if you encounter any.