The Authentication part?

system · March 13, 2009, 3:19pm

I was reading the Authentication/Authorization docs, plus this custom made one: http://www.yiiframew…opic,905.0.html which appears to be a good idea, but when managing users, eg: CRUD we generally save user password in a hash format, does Yii have methods for hash and salt creations or it’s up to de developer do do it?

qiang · March 13, 2009, 3:24pm

It's up to developer. Yii doesn't have this.

MadSkillsTisdale · March 13, 2009, 7:00pm

You can write a filter and apply it when the user model accepts data.



<?php





class User extends CActiveRecord


{


	/**


	 * Returns the static model of the specified AR class.


	 * @return CActiveRecord the static model class


	 */


	public static function model($className=__CLASS__)


	{


		return parent::model($className);


	}





	/**


	 * @return string the associated database table name


	 */


	public function tableName()


	{


		return 'user';


	}





	/**


	 * @return array validation rules for model attributes.


	 */


	public function rules()


	{


		return array(


			array('username','length','max'=>128),


			//array('password','length','max'=>128), don't need this because we md5 it 


			array('password','filter','filter'=>'md5'), //amazingly makes this guy be an md5!!!!!!


			array('email','length','max'=>128),


			array('username, password, email', 'required'),


		);


	}





	/**


	 * @return array relational rules.


	 */


	public function relations()


	{


		return array(


		);


	}





	/**


	 * @return array customized attribute labels (name=>label)


	 */


	public function attributeLabels()


	{


		return array(


		);


	}


	


	/**


	 * @return array customized behaviors


	 */


	public function behaviors()


	{


	}


}

This is a quick proof of concept that is a drop in replacement for the user model described in the definitive guide. I used md5, but you can use any function that accepts one argument and returns a string, so you could write a function



function hashPW($pw, $salt = null) {


   $salt = empty($salt) ? substr(md5(uniqid(rand(), true)), 0, 16) : $salt;


   return $salt . sha1($salt . $plainText);


}











Then your function to compare would be 





function comparePW( $password, $hash )


{


    $salt = substr( $hash, 0, 16 );


    return $hash == hashPW($password, $salt );


}

I have not tested this, so it may need some modification, but that is the idea.