I have built a login form but not a sign up form so i am putting the users details directly into the sql database.
I have found out that cakephp automatically hashes the password when the user tries to login, but at the moment I cant login because the password in the database is not hashed.
how does cakephp hash the passwords?
My security salt is Dhhfei38fhDg37dg6Dg208Dh3h380Hrjd3
Could you please walk me through what it does?
Hashed passwords in cakephp are created by:
$hashedPasswords = Security::hash($yourPass, NULL, true);
Check the cakephp manual for more info
debug(AuthComponent::password("your-password"));
That's if you are hashing your password this way inside your UserModel.
public function beforeSave() {
if (isset($this->data[$this->alias]['password'])) {
$this->data[$this->alias]['password'] = AuthComponent::password($this->data[$this->alias]['password']);
}
return true;
}
http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#hashing-passwords
Add a new user with a password. You can take the hash value of the new user's password and paste it into other user's records.
As of Cakephp 2.0, Cake only hashes passwords in the login process,
on other places (like register-method...), the password won't be hashed automatically, that's because it was considered a strange behaviour to people who where new to cakephp.
If you want to hash the password, you need to use the method Sudhir mentioned.
One of the advantages that cake does not hash passwords automatically anymore is, that you can more easily check the password complexity ( if there are included special characters, numbers, letters ecc).
According to How to – password hashing in cakephp: "Security::hash takes the type sha1."
Related
i'm new to php and cakephp, i was following the Simple Authentication and Authorization Application tutorial from cakephp (http://book.cakephp.org/2.0/en/tutorials-and-examples/blog-auth-example/auth.html). All seem to working good.
I'm add a email confirmation to activate the account when a user subscribe. In the tutorial the password is using the blowfishpassword hasher. And i'm using it as a token in the link for the confirmation.
but i can't seem to be able to compare the link token with the password in the database...
$passwordHasher = new BlowfishPasswordHasher();
$motdepasse = $this->data['Utilisateur']['mot_passe'] = $passwordHasher->hash(
$this->data['Utilisateur']['mot_passe']
);
$link = array('controller'=>'utilisateurs','action'=>'activate',$this->Utilisateur->id
.'-'. $motdepasse);
public function activate($token) {
$token = explode('-',$token);
$user = $this->Utilisateur->find('first',array(
'conditions' => array('id' => $token[0],'Utilisateur.mot_passe' => Security::hash($token[1], 'blowfish', 'Utilisateur.mot_passe'))
));
debug($user);
debug($token[1]);
die();
}
Can you help me? thanks guys!
First of all you shouldn't send the password hash around, no matter how safe the hash possibly might be, confirmation tokens should be generated separately! Simply store it in an extra column or in a separate table.
That being said, in your activate() method you are hashing the hash again, which, in case the hash would actually be generated, would cause the comparison to fail. However the script won't genereate a hash, as you are using an invalid salt value which should result in the following warning:
Invalid salt: Utilisateur.mot_passe for blowfish Please visit http://www.php.net/crypt and read the appropriate section for building blowfish salts.
and Security::hash() will return an empty string. If you don't get such a message, then you'll need to enable the debug mode.
I'd suggest to get familiar with PHP, CakePHP, hashing and stuff first before you try to implement security related functionality!
You may want to check out https://github.com/CakeDC/users, it supports email verification and lot more out of the box.
I'm quite new to phpCake and its principles and would like to know the cleanest solution for my requirement:
I'd like to set a random password when a new user is added.
The new user should receive an email with the password.
I see two possibilities to approach the random password:
1) Set the random password in the controller:
$this->request->data['User']['password'] = 'randomPassword';
The 'randomPassword' could be got by implementing a component.
2) The random password is set in the beforeSave method inside the user model. But how could I access this password from inside the controller then? I would need this to send the password in the email which is done inside my controller.
What is the cleaner solution? Or is there a better approach?
You'd do it on a beforeSave() callback method.
Details here: http://book.cakephp.org/2.0/en/models/callback-methods.html#beforesave
You can detect if they're creating a "new" user, as opposed to updating an existing one, then, if they're new, generate a password. When the user is saved, it will have the password data in it.
// User model
public function beforeSave($options = array()) {
if(!isset($this->data['User']['id'])) {
// generate password here
}
return true;
}
Per the comments on your question, I don't think it's ideal to send the actual password, but - the above answer would work for generating a token or anything else you want to use.
$randomPassword = md5(AuthComponent::user("id));
$this->request->data['User']['password'] = $randomPassword;
This will give you a giant password, you can cut to the first 5-10 chars as u wish.
$randomPassword = $substr($randomPassword, 0,10);
I am using a small cakephp setup, with no forgot password functionality. I want to be able to create a hashed password, using the same security hashing method and cipherseed used in the site.
Is there a way to recreate the setup in a local php file which would output a hashed password, the system would understand?
Make sure to specify that you're using the Security Component in whatever controller you're working in:
var $components = array('Security');
Then, in the action (method/function...whatever):
$myPassword = 'pizzaRules!';
$hashedPassword = Security::hash($myPassword, null, true);
The true at the end says you want to use the site's salt.
I have forgot password feature in my cakephp application. The function for this will request the email address, find this user, generate a new password, convert it to sha1 and save it to the database, emailing the contents to the user.
Anyway I am having issues, the generated sha1 password is different to the one being saved.
I have called the info to the screen to show what is happening:
TEMP PASSWORD- lHQcVp4 (FROM THE FUNCTION)
Blockquote
SHA1 PASSWORD- 0ee4ae757733f458b9e395a8457c2ef307af99f0 (FROM sha1($user['User']['tmp_password']);
Auth Password PASSWORD- 93df9bd251620d0634235c22f4ab6fe9ad5421f4 (FROM: $this->Auth->password($user['User']['tmp_password']);)
DB Record After Save PASSWORD- 13ef648db45cc62b593c3943646806af06846016 (FROM $this->User->field('password');)
I am saving the data as follows: $this->User->save($user, false)
Why would it come though differently all 3 times? I cannot work it out. Very strange.
Thankyou
sha1($user['User']['tmp_password']
This will simply hash the password and output the text
$this->Auth->password($user['User']['tmp_password']);
This hashes the password with the cakephp salt defined in core.php. This is why you see a difference
If you simply set the password value to $user['User']['password'] and call save() on it, Auth might be hashing the password again since it doesn't know you've already hashed it. Have you tried just setting the password to $user['User']['password'] and calling save() on it? Let Auth handle the hashing for you.
I'm trying to find a way to log in user without password.
The reason is that I have phpBB3 forums in my site and the users already log in there. So I'm now building an expansion to the site to have more than just the forum (Using CakePHP). I thought that I could attach automatic account creation to CakePHP when user creates an account to forums (And ofcourse other link for the existing users). So the users would get CakePHP account that has the same username that they have registered in forums. That means that the only way to register to CakePHP part of the site would be to register to the forums first.
Now I'd like to handle the whole logging thing by phpBB3 login so users would still login to forums, and then I'd attach a piece of code that would also login them to CakePHP part of the site with the username they used to login to forums.
This way I could do also put users to their own ACL groups by their status in forums.
Thats what I'm after and I need to know the way to login users this way. I'm not looking for complete code I'm just looking for an answer that explains how I log in users in CakePHP without them having passwords at all.
I have also looked http://bakery.cakephp.org/articles/wilsonsheldon/2009/01/13/phpbb3-api-bridge but it just doesn't quite look what I'm looking for...
As far as I recall, Auth requires two pieces of info for a login.
You can change which fields in the users table are checked by auth with.
$Auth->fields = array(
'username' => 'username',
'password' => 'password'
);
So if you you want to be able to log in users according to their nickname and shoesize:
$Auth->fields = array(
'username' => 'nickname',
'password' => 'shoesize'
);
IMPORTANT:
The AuthComponent expects the password value stored in the database to be hashed instead of being stored in plaintext.
(I think it is a sha1 of the password and Security.salt)
In the above example, if any entries already existed in the database you'd have to overwrite the shoesize field for each of them with hashed versions of the shoesizes.
To generate a hashed password yourself you can use $Auth->password('A Password');
Quick and Dirty
If you fill the password fields in your users table with the return value of:
$Auth->password(null);
Then you can use the following:
$Auth->login(
array(
'User'=>array(
'username'=> USERNAME_FROM_PHPBB3,
'password'=>null
)
)
);
Less Quick and Dirty
When creating a new user.
Set the password field to the md5 hash of some random input.
$this->authUser[$this->User->alias][$Auth->fields['password']] = $Auth->password(md5(rand().rand()));
Use the Username from phpBB3 to retrieve the relevant record
from the users table in the database.
$this->authUser = $this->User->findByUsername( USERNAME_FROM_PHPBB3 );
If the query was successful Log in the user
if($this->authUser){
if($Auth->login($this->authUser)){
// Login Successful
}
}
From your cakephp app you can check if a user exist in the phpbb forums table and you can use the phpbb session to check if a user is logged in.
This function will solve your problem:
public function forceLogin($userName = NULL) {
$this->_setDefaults();
$this->User = ClassRegistry::init('User');
$this->User->recursive = 0;
$user = $this->User->findByUsername($userName);
if (!empty($user['User'])) {
$this->Session->renew();
$user['User']['id'] = null;
$user['User']['password'] = null;
$this->Session->write(self::$sessionKey, $user['User']);
}
return $this->loggedIn();
}