I've struggled with a problem for a while now. I want to use Laravel for my website BUT I can only use SHA256 as the password encryption because of some other limitations in our project.
Basicly my problem consists of a function within Laravel that is used to check if the userdata is correct (Checks if the user can login) does not work for me because of my difference in encryption (Atleast that's my theory)
Auth::attempt(['username' => $username, 'password' => $password]
This function always returns false, no matter if the password is correct and I assume it's because of the difference in encryption.
Anybody know if there's a fix for this?
Auth::attempt(['username' => $username, 'password' => SHA256($password)]);
Here SHA256($password) you can call the function as the same which used for encryption and check it.
In this case, SHA256 (dummy function) will hash the password you passed and match the value.
EDIT 1
Sample Code for registration
$users = User::create([
'name' => $name,
'email' => $email,
....
....
'password' => SHA256($password)
]);
//to login with the above creds
Auth::login($users);
Now while login you can use the same SHA256 function to encrypt the input password and check with your database.
I fixed this issue with the help of the above comments from Arun Code and Andrew.
For anyone else with this issue I suggest reading this
Related
I use a different database and table for user authentication. Now I have current Hash as an example:
'$2a$08$UU.AJY.bcf0uJAp12WZvy.XE6CCgNAmuX8Hr17Pfkh3FRyFHWhBtO' = Test12345
But when I use Hash::check('Test12345', '$2a$08$UU.AJY.bcf0uJAp12WZvy.XE6CCgNAmuX8Hr17Pfkh3FRyFHWhBtO') it always returns false. So I think that's because the hashing uses a different method, so the prefix is $2a instead of $2y and 8 rounds instead of 12. I already tried to use $2y$12$UU.AJY.bcf0uJAp12WZvy.XE6CCgNAmuX8Hr17Pfkh3FRyFHWhBtO as my Hash to check, that doesn't work aswell and I just saw that on another stackoverflow post so I gave it a try.
Thanks in advance!
the same value can be hashed in different "codes"
to login use:
if (Auth::attempt(['email' => $request->email, 'password' => $request->password])) {
return "login sucess";
}
else{
return "fail";
}
Okay finally found it out. I first have to get the salt from the hash and hash the password once, then verify it and it works.
So I'm running one project created with Laravel 5.1 and one guy said to me that passwords are not secure something like hashes don't used etc. But I can clearly see in this function that passwords are bcrypted:
protected function create(array $data)
{
return User::create([
'name' => $data['name'],
'email' => $data['email'],
'password' => bcrypt($data['password']),
]);
}
And passwords also stored in DB as bcrypted. Should I be worried about his words?
Default Laravel Auth requires passwords to be bcrypted, as you've shown in your code. bcrypt is an industry standard one-way password hash and is very good.
If you roll your own authentication, we can't control how you handle your password hashing. But default Laravel Auth is secure.
If you are not using Laravel's inbuilt Authentication, use Laravel's Hash class. Hash::make('$data['password']'). But in your case, it looks solid and you don't have to worry about hashing again.
You can read https://laravel.com/docs/5.1/installation#configuration about the Application Key.
Because of bcrypt , you can only decrypt a password where it was encrypted.
I am not saying that it is perfectly safe, but even if someone knows how bcrypt works, if they don't know the encryption key, they will have a hard time decrypting it.
So make sure to php artisan key:generate , if you are not using .env configuration file.
I'm trying to implement authentication in laravel 4
When the user registers, I hash the password and save it, like this:
$password = Hash::make(Input::get('password'));
Then when the user tries to login, I want to authenticate him/her with the following code:
if (Auth::attempt(array('username' => Input::get('username'), 'password' => Hash::make(Input::get('password')))))
{
return Redirect::intended('dashboard');
}
and that never succeeds. I tried to debug the code and it seems that the Hash::make function always gives a different result.
Am I using a good authentication methods?
Don't Hash the password you are giving to the Auth::attempt method, it should be like this:
Auth::attempt(array('username' => Input::get('username'), 'password' => Input::get('password')));
You may also check the password using Hash::check('password', $hashedPassword). Read more about security on Laravel website.
Do not hash the password in the auth::attempt() function the code should be like this:
Auth::attempt(array('username' => Input::get('username'), 'password' => Input::get('password')));
The auth::attempt() will hash the password and then check if it matches the one stored in the database
To add some explanation to the answer, it is different every time because the hashing algorithm bcrypt generates a random string (salt) that has to be used to decrypt the password.
This is to protect passwords from rainbow table attacks. https://en.wikipedia.org/wiki/Rainbow_table
I am using CakePHP for my application, where I have a User model. This User has a password, which has a regex to validate.
The regex forces the user to use a password at least 6 characters long, containing at least 1 number and special char.
The validation looks like this:
'password' => array(
'ruleName' => array(
'rule' => array('custom', '/^.*(?=.{6,})(?=.*\d)(?=.*[a-zA-Z])(?=.*[##$%^&+=]).*$/i'),
'message' => 'Password not legit',
'allowEmpty' => true
)
)
When I want to edit my password, this validation works great. But when I want to edit the user (no option to change password there), the $this->User->save() fails.
If I debug my $this->User->validationErrors, the only thing shown is:
array(
'password' => '*****'
)
The password field is not set in my post data, so the validation should not happen at all.
When I comment this block of validation code, the user can be saved.
Anyone knows what I am doing wrong?
I solved it myself already. Before saving the User object, I already did a $this->User->Read(null, $userid) for other purposes.
This resulted in remembering the values of the read (including password) in the $this->User object.
Since the save method is called on the $this->User object, the password value is trying to get saved too. But since *** isn't valid according to the regex, the save fails.
Thanks for the help anyway!
I'm quite new to Auth module, and i'm trying to get login working, after reading documentation and googling like crazy i have this simple piece of code...
Auth::instance()->login('test', 'test');
if (Auth::instance()->logged_in()){
$this->request->redirect('user/index/');
}else{
echo 'fail';
}
This always returns false, my registration script looks like this:
$model = ORM::factory('user');
$model->values(array(
'username' => 'admin',
'email' => 'adsmin#example.com',
'password' => 'test',
'password_confirm' => 'test',
));
$model->save();
It creates user just fine, also it sets role_id to 1 and 2 which means i have admins/login rights, but it keeps failing anyways, if i would use Auth::instance()->force_login($user); everything work's just fine, so i'm guessing problem could be with hashing, but i have no idea where.
You must set driver to 'orm' in config/auth.php
Did you store the plaintext password or the hashed password? I think the Auth module login function hashes the password. So maybe you should save the hashed password.
You could hash your password by using:
Auth::instance()->hash('your_password');