I'm trying to add authentication to an existing application for a company that has a table that stores its users with plain-text password. In Laravel, I know that I can use Auth::attempt() in order to authenticate a user, but the password is checked against a hashed password. How to I go about checking a plain-text password instead?
Just check the password and login user manually with the loginUsingId() method:
if ($user->password === $request->password) {
auth()->loginUsingId($user->id);
}
I'd also recommend you to hash all the passwords. Storing plain text passwords is a terrible thing to do. Do something like this just once (in Tinker, for example):
$users = User::all();
foreach ($users as $user) {
$user->update(['password' => bcrypt($user->password)]);
}
Related
please please someone help me , my boss would kill me , this code is not working in laravel , because password is hashed , it is bcryted , how do i compare and get my us_id ( wich stands for username_id ) , the one that tried to login but has the wrong password , do you have any suggestioin , what i'm trying to do is very simple , i'm trying to understand if the user entered a wrong password but his/her username is right . i am beginner . sorry for that :( . i know this won't work , but what should i do to understand if the user entered a wrong password ?
public function login(Request $request, Logs $logs)
{
$password = $request->input('password');
$myuser = \DB::table('users')->where('password', $password)->first();
if (\Hash::check($password, $myuser->password)) {
$logdata = $myuser->id;
$logs->insert($logdata);
return view('MainPages.example', ['pass' => $password]);
}
}
The password is hashed by Laravel, so use the Hash::check() method:
if (\Hash::check($password, $myuser1->password)) {
The Laravel Hash facade provides secure Bcrypt hashing for storing user passwords. If you are using the built-in LoginController and RegisterController classes that are included with your Laravel application, they will automatically use Bcrypt for registration and authentication.
https://laravel.com/docs/5.5/hashing
You can't expect this to work.
Passwords are stored encrypted. Multiple people could theoretically have the exact same password, but none of them would look identical when stored. Therefore you don't know what to look for in the record, even if you know what password you are looking for because you don't know what salt was used for the particular record where it is stored.
You just can't retrieve a record on a password lookup like this. Rather, you have to retrieve the record first (based on some other key, eg. username or id) and then see if the password encrypts to match from the given password that has the ever important salt.
2 and I am having a problem while i register and login a user.
I worked on codeigniter as following code has been used to store password and hash:
array('user_login_salt' => md5($time_now),'user_login_password' => md5(md5(md5($time_now) . $password)),
'user_password_hash' => $this->encrypt->encode($password, md5(md5(md5($time_now) . $password))),
'user_security_hash' => md5($time_now . $password))
and when i log in the use then check the password as per condition as follows:
md5(md5(strtolower($this->encrypt->decode($user_details_array['user_password_hash'], $user_details_array['user_login_password']))))=== $user_password..
Now in laravel I want to do the exact same thing for register a user and user login. What i need exactly is i need to store user login salt, user login password, user password hash and user security hash. Security hash must be 32 character long exactly..
So please looking for any solution which registers the user in the same way and login by user_password_hash...
Thank you
Solution 1: Use Laravel build-in auth for login, logout
- In Console run
php artisan make:auth
This command creates users table, UserController and User Model. Now you can access yoururl/login,..etc
Solution 2: Handle manually with Hash in Laravel. Ex: In Controller
- Hash password
$hashedPassword = \Hash::make($password);
- Compare password
// Return true if password matches hash
$check = \Hash::check('plain-text-password', $hashedPassword)
I am using in-built Registration and Login code in Laravel 5.1
What I am doing ?
I did the registration and credentials are being saved successfully.
What's the problem ?
When I try to do the login, it says "These credentials do not match our records."
In postLogin Method , I saw the code : $credentials = $this->getCredentials($request); and when I printed values in $credentials and found that the Password value is plain text.
May be that's the reason the below line when executes always says User not found
if (Auth::attempt($credentials, $request->has('remember'))) {
Please suggest me the path
You should use bcrypt to encrypt the user password.
$user = new App\User;
$user->email = 'test#test.com';
$user->password = bcrypt('plain-text-password');
$user->save();
The Hash::check method allows you to verify that a given plain-text
string corresponds to a given hash.
if (Hash::check('plain-text-password', $hashedPassword)) {
// The passwords match...
}
I made many changes in the Framework. Those changes were like adding new columns in the User Table and code changes. Also changed from password to Password. Then I realized that at Authenticatable class under getAuthPassword function, it had to be Password and not password
So, I'm switching over to laravel for my site. My old site currently holds around 500 users. Each user has a md5 hash attached to them, as the password (duh ^^).
As I'm switching over to laravel, I wish to use the Auth::attempt
unfortunately it uses its own method to hash password strings. I don't want all my users to change their password, because I'm switching to laravel, is it possible to make the Auth class use md5 instead, so my users don't have to switch password? :)
If yes, can someone show me how?
MD5 is horribly outdated. I recommend that you don't try to keep it.
Instead, when a user first logs in, and Auth::attempt fails, you should then try to compare their password to the database as MD5
$user = User::where('username', '=', Input::get('username'))->first();
if(isset($user)) {
if($user->password == md5(Input::get('password'))) { // If their password is still MD5
$user->password = Hash::make(Input::get('password')); // Convert to new format
$user->save();
Auth::login(Input::get('username'));
}
}
Don't use md5 for password hashing. Even the php manual warns against it: "Warning It is not recommended to use this function to secure passwords, due to the fast nature of this hashing algorithm.".But in your case you can use the below snippet in your project
$user = User::where([
'login_id' => $request->login_id,
'password' => md5($request->password)
])->first();
if ($user) {
Auth::login($user);
return redirect()->intended('home')->withSuccess('User Signed in');
}
My problem is that I can still log in even I typed in the wrong password. I can't seem to know if there's a problem on how I decoded the password.
encryption key:
$config['encryption_key'] = 'formcreatormj';
Log in code:
function login($email,$password){
$pw = $this->encrypt->decode($password);
$this->db->where('email',$email);
$this->db->where('password', $pw);
$query=$this->db->get('user');
if($query->num_rows()>0){
foreach($query->result() as $rows){
//add all data to session
$this->addSession($rows->id, $rows->username);
}
return true;
}
return false;
}
You should not be using the Encryption class for working with passwords. Passwords should be hashed one-way, to prevent the original plaintext from being recovered trivially. Codeigniter's Encryption class provides two-way encryption and is unsuitable for passwords.
Instead, you should be working with bcrypt - How do you use bcrypt for hashing passwords in PHP?
You are going about the hashing wrong. Typically you'd store the hash of the password in the database. i.e. when the user signs up, you $this->encrypt->encode() the password and store that in the database.
Next time the user tries to log in, you again hash the password they enter in the login and compare that to the hashed password in the database.
But, since, by default, codeigniter uses mcrypt, these hashes won't match. So what you need to do is pull the hash from the db, decrypt that and compare that with the submitted password.
$this->db->where('email',$email);
$query = $this->db->get('user')->row(0);
if($this->encrypt->decode($query->password) == $password){
//password OK
}else{
//password not OK
}
What you are doing is trying to decrypt the submitted password which isn't encrypted.
Edit: strongly agree with #xiankai You really should be using bcrypt for passwords.