How to set the functionality of the user password is changed in Bitrix?

Good day!

Is there a site on Bitrix.

The site has a login page /auth/, which is caused by the component bitrix:system.auth.form.
There is a page to request fingerprints and password recovery ( /forgot/ and /restore/, respectively).

Password recovery go to page /forgot/ where caused by the component bitrix:system.auth.forgotpasswd, enter the username or email and click send control string successfully comes in the mail (see in database that the user has changed the value of CHECKWORD ie sent a string is really relevant).

Everywhere, where components are displayed, set default templates, in order to avoid errors from my side..

Follow the link and get into the /restore/ where first used, the component bitrix:system.auth.changepasswd, but because of no return of error messages have been commented out and written the following code, which at least returns the error:
 global $USER;
 if($arResult["TYPE"] == "OK"){
 echo "Password successfully changed.";
 echo $arResult["MESSAGE"]; 
 echo '<pre>';
 echo '</pre>';

 if($arResult["TYPE"] != "OK"){ 
 <fo rm method="post" action name="bform" id="b-form">
 <input type="hidden" name="backurl" value>
 <input type="hidden" name="AUTH_FORM" value="Y">
 <input type="hidden" name="TYPE" value="CHANGE_PWD">

 <input type="text" name="USER_LOGIN" maxlength="50" value="<?=$_GET['USER_LOGIN']?>" class="bx-auth-input" placeholder="Your username">
 <input type="text" name="USER_CHECKWORD" maxlength="50" value="<?=$_GET[" user_checkword"]?>" class="bx-auth-input" placeholder="test string"/>

 <input type="password" name="USER_PASSWORD" maxlength="50" value class="bx-auth-input" autocomplete="off" placeholder="New password">
 <input type="password" name="USER_CONFIRM_PASSWORD" maxlength="50" value class="bx-auth-input" autocomplete="off" placeholder="Confirm password">
 <div class="clearfix b-form-buttons">
 <input type="submit" name="change_pwd" value="Change password">


If successful, the new password and confirm it (they are equal and comply with all the rules) get the array $arResult:
 [MESSAGE] => Incorrect check word for login "".


On the page after submitting the form loads the $_POST array, which confirms that USER_CHECKWORD still passed:
 [backurl] => 
 [USER_CHECKWORD] => 1a571b5f2170ff4ef7c0657c89befcd8
 [change_pwd] => Change password

Looked method code, this error occurs if it is empty (not passed) or it is not equal to the hash of the password from the database:
if($res["CHECKWORD"] == " || $res["CHECKWORD"] != $salt.md5($salt.$arParams["CHECKWORD"]))

BUT! If the page before you connect header.php to set the value of a constant define("AUTH", true) and request the password through derived forms, the password is successfully changed. WTF?

Dear experts, attention a question: "why there is such a problem and how to solve it?". Thanks in advance! I hope to help...
August 19th 19 at 23:23
1 answer
August 19th 19 at 23:25
For operation of system components bitrix:system.***.*** you must define define("AUTH", true). Why? I don't know the answer.

Find more questions by tags User identification