On my password reset page, I save the user's new password using Security::hash(). When I then try to log in though, my database saved hashed password does not match the version that Auth comes up with when hashing my input in the login field.
I assume this is something like Security::hash() using my application salt to hash the password, whereas Auth doesn't use that salt?
How do you go about this?
Have you tried the AuthComponent::password() method instead?
Also, if the field is named password, check that AuthComponent hasn't already hashed it.
Edit: In 3.x, see DefaultPasswordHasher::hash() instead, as explained in Hashing Passwords.
should be Security::hash($password, 'sha1', true)
you can leave the second parameter NULL because Auth use the same hash as specified in Security.
Related
In my project, the password is hashed and saved in the database, but how can I get the origin password if I forgot the password?
You can't, that's the whole point of using a hash.
If someone forgot their password, then they should set a new one, ie you should implement some form of password reset functionality accordingly.
You can't have it ! If user forgot his password, you can send him a link to create a new one (with questions to check his identity).
I am using CakePHP 2.3.4 with Basic authenticate.
My question is if the same passwords are hashed, are the two hashed password strings are the same? If not, which authenticate or password hasher can generate the same hashed passwords with same passwords?
According to the CakePHP manual
In basic authentication, the username and password are transmitted as plain-text to the server.
So they are the same but they are not encrypted.
I personally do not recommend having the same hashed password if your application will be widely used. https://security.stackexchange.com/a/85075
Edit: Also I forgot if using the digest authentication gives you the same hashed password so hopefully someone can chime in on that.
I am using Blowfish to hash a password before save in my model like so:
...
$passHash = new BlowfishPasswordHasher();
$this->data[$this->alias]['password'] = $passHash->hash($this->data[$this->alias]['password']);
...
I am using a MySQL backend and obviously I can't just assign a password in the password field for that user because it will never authenticate with the Auth Components authentication because it is using the Blowfish hasher.
So, how could I assign a user a custom password for them to use?
Why not just have an edit method in the users model with a corresponding view baked up? You can edit the users password there and It'll take care of password hashing if you send a password to the database that way.
With advice from a co-worker, I ended up creating a shell script to manage users.
In Console/Command I created UserShell.php which has an updatePassword function which takes a username and a password as arguments. In the function I set the user using the username, and then use the following to save a custom password that is hashed by the models beforeFilter
set the user...
$this->User->saveField('password', $password);
This was a quick solution for my problem.
While developing my app, I suddenly can't login using Auth anymore, according to Cake, the password or username is not correct.
When I track the query, the password (hashed) that Cake is looking for is not the one that the user has. I matched the query password to the User table in MAMP.
What can be the reason of this sudden error? What can Cake make looking for another password that not exists in the user table.
all error logs are clear
I can register a user without any issue
I use everything the standard Cake way (Auth, register process etc)
Many thanks!
well, most likely, you changed the salt value in core.php or hash mehod, or both. That's the only 2 reasons the hash is different for the same password.
I am interested in testing the incoming password field for a particular admin level password. If it matches, I want it to manually have Auth log in with whatever username they want (submitted via form)
My understanding is Auth, in taking the data, will only authorize it if it sees the same email/hashed password in the database. Is there a way to get around this check to manually set it? Even $this->Auth->login(..) will do this check right?
$this->Auth->login($userId)
Auth::login accepts either a username/password combination or simply a user id (the primary key of the user model in the database).
see my answer here: Using username instead of email in CakePHP's Auth Component
It's not the same question, but the idea is, when the login fails, you can intercept it and do what you want.