I have problem in authenticating a hashed password… I don’t know what’s wrong but I know it’s not the values…
Here’s the code in hashing a password before saving into db
:
public function beforeSave()
{
$ph=new PasswordHash(Yii::app()->params['phpass']['iteration_count_log2'], Yii::app()->params['phpass']['portable_hashes']);
$this->password=$ph->HashPassword($this->repeat_password); //repeat_pass is the confirmation part which is equal to this->password, which i replaced because I think it would be redundant with the assigned variable.
return parent::beforeSave();
}
Your beforeSave() method will always store a new hash when the user model is being saved. Does that happen outside the context of a password change? Because then, an empty string will be hashed and stored.
{
$random = '';
if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {
$random = $this->get_random_bytes(16);
$hash =
crypt($password, $this->gensalt_blowfish($random));
if (strlen($hash) == 60)
return $hash;
}
if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) {
if (strlen($random) < 3)
$random = $this->get_random_bytes(3);
$hash =
crypt($password, $this->gensalt_extended($random));
if (strlen($hash) == 20)
return $hash;
}
if (strlen($random) < 6)
$random = $this->get_random_bytes(6);
$hash =
$this->crypt_private($password,
$this->gensalt_private($random));
if (strlen($hash) == 34)
return $hash;
# Returning '*' on error is safe here, but would _not_ be safe
# in a crypt(3)-like function used _both_ for generating new
# hashes and for validating passwords against existing hashes.
return '*';
}
I will never have password change. That’s one limit of my system. But The hashing of the password is for create only. It will not be updated… The only time it will be used is the creation of a new user account and the retriveing of data when a specific user logins.
How do I code it in beforeSave, what parameter will replace storedHash
public function beforeSave()
{
$ph=new PasswordHash(Yii::app()->params['phpass']['iteration_count_log2'], Yii::app()->params['phpass']['portable_hashes']);
// $ph is also redundant if I put
$ph->CheckPassword(this->repeat_password, <dunno what to put here.>);
//$this->password=$ph->HashPassword($this->repeat_password);
return parent::beforeSave();
}
Your implementation is not correct, the given code will hash the password value when a change occurs. It will work for the first time, but if the user changes something (not the password itself), the "beforeSave" method will hash the already hashed password.
I would not do in the "beforeSave" method. I prefer a rather explicit way for setting hashed password. You could do something like this:
class ModelWithPassword extends CActiveRecord{
public function setNewPassword($password) {
{
$this->password = hashFunction($password);
}
}
class ControllerThatHandlesRegistration extends CController {
public function actionRegister()
{
$model = new ModelWithPassword();
if (isset($_POST['ModelWithPassword'])) {
$model->attributes = $_POST['ModelWithPassword'];
if ($model->validate()) {
$model->setNewPassword($model->password);
$model->save();
}
}
}
}
PASSWORD storage at database is only string(16), while when I has HASH String(60), values is not stored correctly, thus comparing makes it impossible to be identical…