lingzhai wrote on Saturday, July 23, 2011:
I installed OpenEMR 4.0.0 release of March 26th,2011. I created a few users, but when I try login with these users I get login or password incorrect error, and I tested this many times. The only user I can login with is admin.
Does anyone has an idea what could be the problem? Thanks alot of any pointer.
jojohit wrote on Wednesday, July 27, 2011:
It is weird that only the admin emr account has access to openemr. I can make it work in Chrome and in Firefox it is flaky. I even tested deleting the emr user in phpmyadmin and re-creating the user in EMR, still does not work.
I have to unpack the .gz file onto the emr directory making sure that I save my original sites directory first then recopy back again. Then apply the openemr patch.
JP
penguin8r wrote on Wednesday, July 27, 2011:
Can you give us more information? What type of server platform, i.e. Windows or linux, what version? Was this a fresh install of OpenEMR or an upgrade from a previous version?
lingzhai wrote on Friday, July 29, 2011:
Issue resolved. I start with openemr-4.0.0.tar.gz and the patch, then install with fresh database. Thanks alot for the guide.
jojohit wrote on Monday, November 07, 2011:
I’d like to resurrect this issue as I am getting this problem again. It seems that regardless of it is a fresh install of OpenEMR the problem is persistent. When I use chrome it logs me in. When I use IE (v.9) no user can login but only admin. Why only admin ? I don’t know. What about chrome working and not IE, but IE if only it is admin ? I don’t know.
This is on ubunut 10.04 apache2, OpenEMR v.4.1.0 patch 3, migrated db from v.4.1.0 then run sql_upgrade, sql_patch and acl_upgrade. Note that I had this problem on v.4.1.0 also.
JP
==============
jojohit wrote on Tuesday, November 08, 2011:
The openemr log file shows that there was a failed login and the hash on the event log was equivalent to the hash for an MD5, not for SHA1.
JP
tmccormi wrote on Tuesday, November 08, 2011:
I had this same issue at one customer just on their Ie 8 and 9 win 7 machines. The system fails the test for sha1 and assumes incorrectly its md5 . I had to disable the test entirely for that install and none other.
Tony
jojohit wrote on Thursday, November 10, 2011:
I’m not sure if it has something to do with multiple sites. If I only have a “default” site I cannot replicate this problem, but in any case, I don’t know how exactly the problem becomes apparent.
JP
jojohit wrote on Thursday, November 10, 2011:
Since SHA1 is a NIST recommendation (it is even old now and SHA-256 is now the optimum), can MD5 be removed from the code ?
JP
yehster wrote on Thursday, November 10, 2011:
No, the MD5 routines cannot be removed.
The MD5 code is still required is for older users of the system. If we simply removed the MD5 code, those users would not have an upgrade path to the current version.
You could remove the MD5 code from your own system, but it needs to stay in the official code base. Of course it would be more beneficial if you can track down the underlying issue as it would be helpful if/when we need to migrate to stronger encryption again.