2 and I am having a problem while i register and login a user.
I worked on codeigniter as following code has been used to store password and hash:
array('user_login_salt' => md5($time_now),'user_login_password' => md5(md5(md5($time_now) . $password)),
'user_password_hash' => $this->encrypt->encode($password, md5(md5(md5($time_now) . $password))),
'user_security_hash' => md5($time_now . $password))
and when i log in the use then check the password as per condition as follows:
md5(md5(strtolower($this->encrypt->decode($user_details_array['user_password_hash'], $user_details_array['user_login_password']))))=== $user_password..
Now in laravel I want to do the exact same thing for register a user and user login. What i need exactly is i need to store user login salt, user login password, user password hash and user security hash. Security hash must be 32 character long exactly..
So please looking for any solution which registers the user in the same way and login by user_password_hash...
Thank you
Solution 1: Use Laravel build-in auth for login, logout
- In Console run
php artisan make:auth
This command creates users table, UserController and User Model. Now you can access yoururl/login,..etc
Solution 2: Handle manually with Hash in Laravel. Ex: In Controller
- Hash password
$hashedPassword = \Hash::make($password);
- Compare password
// Return true if password matches hash
$check = \Hash::check('plain-text-password', $hashedPassword)
Related
We imported some users from our old script.
But we can't decrypt this users password.
So I defined a default password to this imported users.
I have a imported column on my users table.
So I want to do this:
When a user post the login form I want to check user is imported or not by using user's email.
Like:
if (User::where("email", $email)->first()->imported == 1) {
//change password parameter and then start auth proccess.
} else {
//nothing. just normal auth proccess
}
If it's imported user, I need to change password parameter's value to my default password and make it successfully login. Then I will send a confirmation mail to this user and force change his/her password. If it's not a imported user, nothing gonna happen just make it login in normal way.
Note: We can use same password hash code instead of laravel's hash. But we don't want to do this.
So how can I intervention to login post before start auth control.
I just want to do: this imported users should be login without error. Because this user's password not gonna match with our db records. I defined a custom password like "123456". User will try his old password. But I want to change his old password with "123456" and user can login the system and I can send confirmation mail for change his password.
First, the logic is bad for some security reasons. If I As a guest user or anonymous use happened to know an email then I can log in to the user account with an invalid or random password.
It is better to do it in another way. First, check the user's email, and if found one then email him a reset password link and don't log him in.
If the user owns the email address then he/she can reset his/her password and log in easily.
But if know what you are really doing then you can create your own login or AuthenticationController. and use your logic there. you can sign in the user by id without the default password. You don't need a default password in this case anyway because the end-user is not typing the default password.
Below is an example:
use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
class AuthencaticationController extends Controller{
public function login(Request $request){
$user = User::where('email', $request->email)->first();
//use might be null so you should first check
// otherwise an error will occure because we cannot use the property of null or non-object
if(is_null($user)) {
// redirect user back with error message
return back()->withErrors(['email => 'Email is incorrect']);
}
// for readbility i prefer to create isImproted() method in User model
// and return whatever to check if user is imported
if($user->imported) {
auth()->loginUsingId($user->id);
$request->session()->regenerate();
return redirect('email confirmation action path');
}
$request->session()->regenerate();
return redirect('redirect not imported users path');
}
}
Laravel documentation
Regenerating the session ID is often done in order to prevent malicious users from exploiting a session fixation attack on your application.
Note that this just a simple way to do that you can refactor it in many ways.
I created user and I gave him password 'secret'.
The hash that was generated by the registration process is
$10$TKh8H1.PfQx37YgCzwiKb.KjNyWgaHb9cbcoQgdIVFlYg7B77UdFm
I wanted to generate it in the code so I used Hash::make('secret') and I got:
$2y$10$Hnbg7DCp2VObns4cbr580uo9VTYgzJF2BSNSpA7S8BYjkAgfUlH.G
finally I used bcrypt('secret') and I got:
$2y$10$5g1bhkHB7kRk8SkM3yS/YOifsEesjZ31YeYnRlE.bxSBmZutVCuui
These are all different hashes, How can I generate one that would let me change password inside my code?
It's because bcrypt doesn't work as SHA-256, it uses a key that would change the result of the hash itself for the same string.
In Laravel, you can use Hash::check('plain-text', $hashedPassword) to check the password, but you will never have the same result for the same password. check here
You can use bcrypt(secret") and leave it at laravel and test it (everything is working).
It works as intended, bcrypt doesnt always generate the same hash. Laravels Hash::check() function will return true for any valid hash of the given password.
For mor informations, look here: https://stackoverflow.com/a/8468936/6622577
Bycrypt is a more secure password hashing algorithm. Unlike md5() or SHA1() bycrypt does not always generate the same hashed value for a specific string.
So when you are storing the hashed password in the database you will use
$password = bcrypt($input['password']);
Afterwards, when you wish to check at the time of login you simply set the plain-text password (As you might be getting it from user input) and run a function called Auth::attempt() to match the password.
$userdata = array(
'username' => $input['username'],
'password' => $input['password'],
);
if (Auth::attempt($userdata)) {
// Password matched
}
And if you want to explicitly check the plain-text password corresponding to its hash then use Hash::check() as below:
Hash::check('plain-text-password', 'hashed-password);
please please someone help me , my boss would kill me , this code is not working in laravel , because password is hashed , it is bcryted , how do i compare and get my us_id ( wich stands for username_id ) , the one that tried to login but has the wrong password , do you have any suggestioin , what i'm trying to do is very simple , i'm trying to understand if the user entered a wrong password but his/her username is right . i am beginner . sorry for that :( . i know this won't work , but what should i do to understand if the user entered a wrong password ?
public function login(Request $request, Logs $logs)
{
$password = $request->input('password');
$myuser = \DB::table('users')->where('password', $password)->first();
if (\Hash::check($password, $myuser->password)) {
$logdata = $myuser->id;
$logs->insert($logdata);
return view('MainPages.example', ['pass' => $password]);
}
}
The password is hashed by Laravel, so use the Hash::check() method:
if (\Hash::check($password, $myuser1->password)) {
The Laravel Hash facade provides secure Bcrypt hashing for storing user passwords. If you are using the built-in LoginController and RegisterController classes that are included with your Laravel application, they will automatically use Bcrypt for registration and authentication.
https://laravel.com/docs/5.5/hashing
You can't expect this to work.
Passwords are stored encrypted. Multiple people could theoretically have the exact same password, but none of them would look identical when stored. Therefore you don't know what to look for in the record, even if you know what password you are looking for because you don't know what salt was used for the particular record where it is stored.
You just can't retrieve a record on a password lookup like this. Rather, you have to retrieve the record first (based on some other key, eg. username or id) and then see if the password encrypts to match from the given password that has the ever important salt.
I am using in-built Registration and Login code in Laravel 5.1
What I am doing ?
I did the registration and credentials are being saved successfully.
What's the problem ?
When I try to do the login, it says "These credentials do not match our records."
In postLogin Method , I saw the code : $credentials = $this->getCredentials($request); and when I printed values in $credentials and found that the Password value is plain text.
May be that's the reason the below line when executes always says User not found
if (Auth::attempt($credentials, $request->has('remember'))) {
Please suggest me the path
You should use bcrypt to encrypt the user password.
$user = new App\User;
$user->email = 'test#test.com';
$user->password = bcrypt('plain-text-password');
$user->save();
The Hash::check method allows you to verify that a given plain-text
string corresponds to a given hash.
if (Hash::check('plain-text-password', $hashedPassword)) {
// The passwords match...
}
I made many changes in the Framework. Those changes were like adding new columns in the User Table and code changes. Also changed from password to Password. Then I realized that at Authenticatable class under getAuthPassword function, it had to be Password and not password
I am trying to use my stored passwords from Laravel 4 in a fresh Phalcon Installation. I have no idea whether this is possible and tried it this way in the SessionController of the Phalcon sample-apllication INVO:
#$password = sha1($password);
$password = password_hash($password, PASSWORD_BCRYPT);
Can I use another Hash-Algorythm in phalcon, that fits to Laravel 4 Passwords, or can I convert the hashes somehow?
You should be able to use laravel hashses - all you need to do is to check how Laravel is creating and checking them.
Check this code from BCryptHasher::make() and this for validating.
The problem is that in Laravel this algorithm is a bit different. First is obtaining user from database then checking if password is the same with password_verify. While in INVO you first hash the given password and then you search for a user with given email and hash - if it finds anything then it can log user. Below should do the trick knowing the $cost value from Laravel settings (class defaults to 10).
$password = password_hash($value, PASSWORD_BCRYPT, array('cost' => $cost));
Edit: while above would be true for SHA1 & similar. The INVO code should be changed to match the login algorithm in Laravel and BCrypt itself:
$user = Users::findFirst(array("email = :email: AND active='Y'", 'bind' => array('email' => $email));
if ($user != false && password_verify($user->password, $this->request->getPost('password'))) {
// login user
}
Laravel is using BCrypt for a reason - it is generally very good choice for hashing so you should stick to it.
Anyway you could write a password migration which will do upon each user successful login:
validate user password using old hashing algorithm
checks if User has migrated it's password (ie by checking some database field - or separated table)
hash given password with new algorithm
store new hash and update user table (with information that hash has been changed)
Which is rather complicated and should be needed only when migrating to "better" algorithm.