Menu
I have an existing database I'm trying to put a cake app on top of. The old app used crypt() in Perl to hash the passwords. I need to do the same in the PHP app.
Where is the correct place to make that change in a standard cakephp app? And what would such a change look like?
409
To protect passwords, experts suggest using a strong and slow hashing algorithm like Argon2 or Bcrypt, combined with salt (or even better, with salt and pepper). (Basically, avoid faster algorithms for this usage.) To verify file signatures and certificates, SHA-256 is among your best hashing algorithm choices.
password_hash() creates a new password hash using a strong one-way hashing algorithm. The following algorithms are currently supported: PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP.
Choosing a slow algorithm is actually preferred for password hashing. Of the hashing schemes provided, only PBKDF2 and Bcrypt are designed to be slow which makes them the best choice for password hashing, MD5 and SHA-256 were designed to be fast and as such this makes them a less than ideal choice.
Disadvantages of hashing As hashing is a one-way operation, then any code which attempts to decrypt the user's password will fail. On occasion such code can exist for legitimate purposes such as validating if the user is providing their current password, however this cannot be supported in 7.1. 0 and above.
I got it working...
here is my AppController:
class AppController extends Controller {
var $components = array('Auth');
function beforeFilter() {
// this is part of cake that serves up static pages, it should be authorized by default
$this->Auth->allow('display');
// tell cake to look on the user model itself for the password hashing function
$this->Auth->authenticate = ClassRegistry::init('User');
// tell cake where our credentials are on the User entity
$this->Auth->fields = array(
'username' => 'user',
'password' => 'pass',
);
// this is where we want to go after a login... we'll want to make this dynamic at some point
$this->Auth->loginRedirect = array('controller'=>'users', 'action'=>'index');
}
}
Then here is the user:
<?php
class User extends AppModel {
var $name = 'User';
// this is used by the auth component to turn the password into its hash before comparing with the DB
function hashPasswords($data) {
$data['User']['pass'] = crypt($data['User']['pass'], substr($data['User']['user'], 0, 2));
return $data;
}
}
?>
Everything else is normal, i think.
Here is a good resource: http://teknoid.wordpress.com/2008/10/08/demystifying-auth-features-in-cakephp-12/
135
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With