While developing my app, I suddenly can't login using Auth anymore, according to Cake, the password or username is not correct.
When I track the query, the password (hashed) that Cake is looking for is not the one that the user has. I matched the query password to the User table in MAMP.
What can be the reason of this sudden error? What can Cake make looking for another password that not exists in the user table.
all error logs are clear
I can register a user without any issue
I use everything the standard Cake way (Auth, register process etc)
Many thanks!
well, most likely, you changed the salt value in core.php or hash mehod, or both. That's the only 2 reasons the hash is different for the same password.
Related
I have an old cakephp application which requires login. I was working with the tables in phpmyadmin and I accidentally deleted the user login/password entry from the table. Now I am not able to login in the cakephp application. I tried to create a login entry in the table but I am not sure how to insert a password in it. it is not working with plain text password. I guess, app is looking for encrypted password which I don't know how to add to the table.
Either I need to disable the login from the cakephp application code and direct the user straight to the main page of the app
Or I need to encrypt the password correctly and insert it in the table.
Please help! I am not sure how to achieve either of these solutions.
Go to your Users Controller and add the actions you need to create and save a new user:
$this->Auth->allow('display','save');
so, you'll be able to anter to that controller actions without any login.
I have a CI project and want to migrate its database to the Laravel's one.
The only problem is that they have different ways of hashing user passwords and so I cannot find a way to move them from one database to another.
I have already googled for the answer but nobody I found speaks about migrating passwords.
Thanks in advance.
I have no experience with CodeIgniter and don't know how it does password hashing, but here's how I would approach the problem.
To make something clear: You can only "convert" the password to a Laravel hash if you have the actual password (in plain text). As you don't store the plain password you only have it at the moment the user logs in our enters the password somewhere.
Therefore you have to realize that this migration isn't done in a few hours. It will take some time for all your users to enter their passwords.
So what I'm getting at is you should add a field to your users table for the CodeIgniter password. Let's call it ci_password. (Or probably you just have to rename the old password column to this and create a new one for the Laravel password).
Now every time a user logs in, you first check if a Laravel password is stored in the database and attempt a log in. If there is no Laravel hash stored, check with the ci_password. (For this you will have to make CodeIgniters hashing work inside your Laravel application. Sorry can't help you with that)
If the ci_password is valid use the password input from the user and generate the Laravel hash (using Hash::make('secret')). Store the new hash in the database and delete (set to NULL) the ci_password.
This way the passwords will be migrated one by one and you have to do nothing. And maybe, on one lucky day, all old hashes will be migrated and you can remove this logic and the column in the database.
Currently I am working on rebuilding an existing website, the old site was written in CakePHP but the new one is in Laravel.
The old users will have to be able to login with the same password as they used on the old site, but those passwords were hashed in CakePHP.
My question is:
Is there a method which would enable me use the CakePHP way of
passwordhashing in Laravel?
I have tried looking for a package that could accomplish this, but to no avail.
I had a similar issue with a migration from a Drupal site. So it should be applicable here, I'll use CakePHP from now on instead of Drupal. I don't know if you are using a package like Sentry to handle the User accounts, or if it is something homegrown.
What I ended up doing was adding a second password field (cakephp_password) to my users table which contained the imported hashed passwords.
Then during the login process, I checked if the cakephp_password field was empty or not. If it was I passed the password typed by the user through the CakePHP hash function which I added to my Class that handled the logins. I then compared the hash from the CakePHP function with the hash in cakephp_password. If the hashes matched I passed the users password through the hashing function of my laravel User management class (Sentry in my case) and added the calculated hash to the password field of the user and deleted the hash in the cakephp_password field.
Now I could just call the login process normally as for any user.
I have in my web application a role called "Administrator". Users who have this role should be able to modify the information about the registered users.
I am thinking about displaying a table with the user details such as e-mail, username, and be able to change them but I don't know what should I do if a users comes to the office physically, goes to an admin and asks for a password change (yes they can do that). Should the admin just press a reset button over the row and tell the user to check his e-mail when he arrives home and proceed with the recovery? (reset link for example) Or should the administrator reset the user's password and give him his new password in that very moment? The second approach is preferable as I was asked to do that...
I know that the admin shouldn't be able to see the original password as it should be hashed and unknown.
What are your thoughts about this? How would you implement this functionality? Thanks for your help.
There is no one perfect answer for this question. The question of workflow will always be dependent on the specific use-cases of an application and will depend on the context it is built in.
That being said, you are right about one thing - it is horrible, and I do mean horrible, security breach to let an Admin or any other user view a clear text password for someone else. So that's definitely off the table.
In your case, it seems giving the admin the right to change someone's password is the way to go. If you're worried about how it looks, don't be. Google Apps allows domain administrators to change the password for any email account under that domain.
Finally, I would suggest a small additional safety measure. When an Admin changes another user's password, store the old encrypted password in a column, don't delete it. When the admin set's the new password, shoot out an email to the user saying "Your password was changed by the Administrator, if you did not request for this, please click here". When they click on the link in the email, simply overwrite the new password with their old one.
That way in case an Admin is changing passwords without the user requesting it, you have a recourse for the user and the logs will keep you informed of how many time an admin has had a password reset revoked by the user.
I am interested in testing the incoming password field for a particular admin level password. If it matches, I want it to manually have Auth log in with whatever username they want (submitted via form)
My understanding is Auth, in taking the data, will only authorize it if it sees the same email/hashed password in the database. Is there a way to get around this check to manually set it? Even $this->Auth->login(..) will do this check right?
$this->Auth->login($userId)
Auth::login accepts either a username/password combination or simply a user id (the primary key of the user model in the database).
see my answer here: Using username instead of email in CakePHP's Auth Component
It's not the same question, but the idea is, when the login fails, you can intercept it and do what you want.