dhis2-devs team mailing list archive

[Halvdan Grelland <halvdanhg@xxxxxxxxx>]

Hi devs,

Starting from trunk rev. 16881 (2.17 snapshot) we've made some major
changes to the password handling scheme of DHIS 2. In short: all passwords
and restore tokens are now stored as bcrypt hashes with random salts. This
gives a great boost to security, but might carry some challenges for
developers.

All existing users in the DB are now being migrated to bcrypt hashes *on
login*. In production this should work smoothly. However in a development
context you might encounter the following situation:

 - Logging in with any user on DHIS rev >= 16881 will change the password
hash to the new scheme.
 - A development branch which has not been merged with DHIS rev > 16881 yet
will then fail to authenticate the same user (both branches run on the same
dev db) as the hash is not a valid MD5 digest anymore.

I strongly suggest you merge any active development branches with trunk
ASAP to avoid this conflict. You could also run any older branches on a
different database (the provided sample data has not yet been altered to
reflect the new scheme).

Feel free to email me if you have any questions.

Halvdan Grelland