Geek Answers Handbook

How to replace cakephp password hashing algorithm?

I have an existing database. I am trying to add a cake app. An old application used crypt () in Perl to hash passwords. I need to do the same in a PHP application.

Where is the appropriate place to make changes to the standard cakephp application? And how will that change?

+6
authentication php cakephp crypt
source share
3 answers

I got his job ...

here is my AppController:

class AppController extends Controller { var $components = array('Auth'); function beforeFilter() { // this is part of cake that serves up static pages, it should be authorized by default $this->Auth->allow('display'); // tell cake to look on the user model itself for the password hashing function $this->Auth->authenticate = ClassRegistry::init('User'); // tell cake where our credentials are on the User entity $this->Auth->fields = array( 'username' => 'user', 'password' => 'pass', ); // this is where we want to go after a login... we'll want to make this dynamic at some point $this->Auth->loginRedirect = array('controller'=>'users', 'action'=>'index'); } }

Then here is the user:

 <?php class User extends AppModel { var $name = 'User'; // this is used by the auth component to turn the password into its hash before comparing with the DB function hashPasswords($data) { $data['User']['pass'] = crypt($data['User']['pass'], substr($data['User']['user'], 0, 2)); return $data; } } ?>

Everything else is fine, I think.

Here is a good resource: http://teknoid.wordpress.com/2008/10/08/demystifying-auth-features-in-cakephp-12/

+8
source share

Actually the danb method described above did not work for me in CakePHP 2.x Instead, I ended up creating a custom auth component to bypass the standard hash algorithm:

/app/Controller/Component/Auth/CustomFormAuthenticate.php

 <?php App::uses('FormAuthenticate', 'Controller/Component/Auth'); class CustomFormAuthenticate extends FormAuthenticate { protected function _password($password) { return self::hash($password); } public static function hash($password) { // Manipulate $password, hash, custom hash, whatever return $password; } }

... and then use this in my controller ...

 public $components = array( 'Session', 'Auth' => array( 'authenticate' => array( 'CustomForm' => array( 'userModel' => 'Admin' ) ) ) );

This last block can also be placed in the beforeFilter method of the AppController application. In my case, I just decided to include it in one controller, where I was going to use user authentication with a different user model.

+2
source share

Just to keep track of this in CakePHP 2.4.1, I created an interface for an outdated database with user passwords stored as md5 (accountnumber: statictext: password), and for users to be able to log in, we needed to use this hashing system.

Decision:

Create the application file / Controller / Component / Out / CustomAuthenticate.php with:

 <?php App::uses('FormAuthenticate', 'Controller/Component/Auth'); class CustomAuthenticate extends FormAuthenticate { protected function _findUser($username, $password = null) { $userModel = $this->settings['userModel']; list(, $model) = pluginSplit($userModel); $fields = $this->settings['fields']; if (is_array($username)) { $conditions = $username; } else { $conditions = array( $model . '.' . $fields['username'] => $username ); } if (!empty($this->settings['scope'])) { $conditions = array_merge($conditions, $this->settings['scope']); } $result = ClassRegistry::init($userModel)->find('first', array( 'conditions' => $conditions, 'recursive' => $this->settings['recursive'], 'contain' => $this->settings['contain'], )); if (empty($result[$model])) { return false; } $user = $result[$model]; if ($password) { if (!(md5($username.":statictext:".$password) === $user[$fields['password']])) { return false; } unset($user[$fields['password']]); } unset($result[$model]); return array_merge($user, $result); } }

"Extends FormAuthenticate" means that this file accepts the _findUser function, but has canceled FormAuthenticate for all other functions, as usual. This is then activated by editing AppController.php and adding it to the AppController class like this:

 public $components = array( 'Session', 'Auth' => array( 'loginAction' => array('controller' => 'accounts', 'action' => 'login'), 'loginRedirect' => array('controller' => 'accounts', 'action' => 'index'), 'logoutRedirect' => array('controller' => 'pages', 'action' => 'display', 'home'), 'authenticate' => array ( 'Custom' => array( 'userModel' => 'Account', 'fields' => array('username' => 'number'), ) ), ) );

In particular, pay attention to the use of the character of the associative array "Custom".

Finally, it is necessary to create a hash password when creating a new user, so I added to the model file (in my case Account.php):

 public function beforeSave($options = array()) { if (isset($this->data[$this->alias]['password'])) { $this->data[$this->alias]['password'] = md5($this->data[$this->alias]['number'].":statictext:".$this->data[$this->alias]['password']); } return true; }
+1
source share

More articles:


All Articles