I'm trying to implement authentication in laravel 4
When the user registers, I hash the password and save it, like this:
$password = Hash::make(Input::get('password'));
Then when the user tries to login, I want to authenticate him/her with the following code:
if (Auth::attempt(array('username' => Input::get('username'), 'password' => Hash::make(Input::get('password')))))
{
return Redirect::intended('dashboard');
}
and that never succeeds. I tried to debug the code and it seems that the Hash::make function always gives a different result.
Am I using a good authentication methods?
Don't Hash the password you are giving to the Auth::attempt method, it should be like this:
Auth::attempt(array('username' => Input::get('username'), 'password' => Input::get('password')));
You may also check the password using Hash::check('password', $hashedPassword). Read more about security on Laravel website.
Do not hash the password in the auth::attempt() function the code should be like this:
Auth::attempt(array('username' => Input::get('username'), 'password' => Input::get('password')));
The auth::attempt() will hash the password and then check if it matches the one stored in the database
To add some explanation to the answer, it is different every time because the hashing algorithm bcrypt generates a random string (salt) that has to be used to decrypt the password.
This is to protect passwords from rainbow table attacks. https://en.wikipedia.org/wiki/Rainbow_table
Related
I use a different database and table for user authentication. Now I have current Hash as an example:
'$2a$08$UU.AJY.bcf0uJAp12WZvy.XE6CCgNAmuX8Hr17Pfkh3FRyFHWhBtO' = Test12345
But when I use Hash::check('Test12345', '$2a$08$UU.AJY.bcf0uJAp12WZvy.XE6CCgNAmuX8Hr17Pfkh3FRyFHWhBtO') it always returns false. So I think that's because the hashing uses a different method, so the prefix is $2a instead of $2y and 8 rounds instead of 12. I already tried to use $2y$12$UU.AJY.bcf0uJAp12WZvy.XE6CCgNAmuX8Hr17Pfkh3FRyFHWhBtO as my Hash to check, that doesn't work aswell and I just saw that on another stackoverflow post so I gave it a try.
Thanks in advance!
the same value can be hashed in different "codes"
to login use:
if (Auth::attempt(['email' => $request->email, 'password' => $request->password])) {
return "login sucess";
}
else{
return "fail";
}
Okay finally found it out. I first have to get the salt from the hash and hash the password once, then verify it and it works.
I created user and I gave him password 'secret'.
The hash that was generated by the registration process is
$10$TKh8H1.PfQx37YgCzwiKb.KjNyWgaHb9cbcoQgdIVFlYg7B77UdFm
I wanted to generate it in the code so I used Hash::make('secret') and I got:
$2y$10$Hnbg7DCp2VObns4cbr580uo9VTYgzJF2BSNSpA7S8BYjkAgfUlH.G
finally I used bcrypt('secret') and I got:
$2y$10$5g1bhkHB7kRk8SkM3yS/YOifsEesjZ31YeYnRlE.bxSBmZutVCuui
These are all different hashes, How can I generate one that would let me change password inside my code?
It's because bcrypt doesn't work as SHA-256, it uses a key that would change the result of the hash itself for the same string.
In Laravel, you can use Hash::check('plain-text', $hashedPassword) to check the password, but you will never have the same result for the same password. check here
You can use bcrypt(secret") and leave it at laravel and test it (everything is working).
It works as intended, bcrypt doesnt always generate the same hash. Laravels Hash::check() function will return true for any valid hash of the given password.
For mor informations, look here: https://stackoverflow.com/a/8468936/6622577
Bycrypt is a more secure password hashing algorithm. Unlike md5() or SHA1() bycrypt does not always generate the same hashed value for a specific string.
So when you are storing the hashed password in the database you will use
$password = bcrypt($input['password']);
Afterwards, when you wish to check at the time of login you simply set the plain-text password (As you might be getting it from user input) and run a function called Auth::attempt() to match the password.
$userdata = array(
'username' => $input['username'],
'password' => $input['password'],
);
if (Auth::attempt($userdata)) {
// Password matched
}
And if you want to explicitly check the plain-text password corresponding to its hash then use Hash::check() as below:
Hash::check('plain-text-password', 'hashed-password);
I was using md5 to hash my passwords but learned that using bcrypt was more secure.
When using md5, it was easy to check whether a password entered in a form was correct. I simply done
if(md5($request->password) == $user->password)
//Login or whatever
So how do I do this using bcrypt? I tried
if(bcrypt($request->password) == $user->password)
But that isn't working.
Use the attempt() method:
if (Auth::attempt(['email' => $email, 'password' => $password]))
The attempt method accepts an array of key/value pairs as its first argument. The values in the array will be used to find the user in your database table.
https://laravel.com/docs/5.4/authentication#authenticating-users
Under the hood attempt() uses password_verify() method to check password.
You could also use the check method of the Hash Facade
if (Hash::check($request->password, $user->password)) {
// The passwords match...
}
https://laravel.com/docs/5.4/hashing#basic-usage
I've struggled with a problem for a while now. I want to use Laravel for my website BUT I can only use SHA256 as the password encryption because of some other limitations in our project.
Basicly my problem consists of a function within Laravel that is used to check if the userdata is correct (Checks if the user can login) does not work for me because of my difference in encryption (Atleast that's my theory)
Auth::attempt(['username' => $username, 'password' => $password]
This function always returns false, no matter if the password is correct and I assume it's because of the difference in encryption.
Anybody know if there's a fix for this?
Auth::attempt(['username' => $username, 'password' => SHA256($password)]);
Here SHA256($password) you can call the function as the same which used for encryption and check it.
In this case, SHA256 (dummy function) will hash the password you passed and match the value.
EDIT 1
Sample Code for registration
$users = User::create([
'name' => $name,
'email' => $email,
....
....
'password' => SHA256($password)
]);
//to login with the above creds
Auth::login($users);
Now while login you can use the same SHA256 function to encrypt the input password and check with your database.
I fixed this issue with the help of the above comments from Arun Code and Andrew.
For anyone else with this issue I suggest reading this
I'm quite new to Auth module, and i'm trying to get login working, after reading documentation and googling like crazy i have this simple piece of code...
Auth::instance()->login('test', 'test');
if (Auth::instance()->logged_in()){
$this->request->redirect('user/index/');
}else{
echo 'fail';
}
This always returns false, my registration script looks like this:
$model = ORM::factory('user');
$model->values(array(
'username' => 'admin',
'email' => 'adsmin#example.com',
'password' => 'test',
'password_confirm' => 'test',
));
$model->save();
It creates user just fine, also it sets role_id to 1 and 2 which means i have admins/login rights, but it keeps failing anyways, if i would use Auth::instance()->force_login($user); everything work's just fine, so i'm guessing problem could be with hashing, but i have no idea where.
You must set driver to 'orm' in config/auth.php
Did you store the plaintext password or the hashed password? I think the Auth module login function hashes the password. So maybe you should save the hashed password.
You could hash your password by using:
Auth::instance()->hash('your_password');