Absolutely loving what I see if Yii 2.0 so far and can’t wait to see it become production ready. In the mean time, I continue to play with the current build to learn more. The simple fact is, if I don’t understand what something is doing, I can’t use it in a product for someone.
With that in mind, I am hoping someone can walk me through (at a fairly detailed level) what is happening to data as someone creates an account or logs in. Here is what I understand so far:
New user visits the signup page which is actionSignup of the SiteController
This creates a new instance of the User model
The User model creates a password_hash via generatePasswordHash
- A salt is generated by generateSalt as part of this process but doesn’t seem to be stored anywhere. If this salt is used in the hashing of the password but isn’t stored, how can it be used during the hashing of an entered password for authentication?
[*]The User model creates auth_key via generateRandomKey
- What is this auth_key used for?
[*]During login, validatePassword in the User model passes the entered password and the users hashed password to validatePassword in BaseSecurity for comparison.
I’m sure this all makes sense to someone that understands what is going on but to me, I’m lost. I expected to see that the creation of a new User generate a salt, appended it to the entered password, then store the salt and hashed password/salt combination in the database. For logging in, the user would be found, the salt returned from the database and appended to the entered password for hashing and comparison.
Can someone explain the few items above (the generation of a salt but not storing it and the usage of auth_key)? Also, if the above is not functioning as I expect, how might one go about creating and storing a salt in the database for the purpose I mentioned in the previous paragraph?
Thanks for the hard work that has gone into Yii and the helpfulness of the answer I’m sure I’ll receive.