Using bcrypt with CakePHP 2.3

Question

I noticed in the 3.2 release of CakePHP they added support for hashing using bcrypt. I'd like to take advantage of this however I can't seem to find how to use it properly.

On my User models beforeSave() method I'm doing this:

if(isset($this->data[$this->alias]['password'])) {
    $this->data[$this->alias]['password'] = Security::hash($this->data[$this->alias]['password'], 'blowfish');
    unset($this->data['User']['passwd']);
}

which successfully saves a bcrypt hash in the database for the user account. However, I'm not sure how I'm meant to then log in the user. My users controller has the following login action:

public function login() {
    if($this->request->is('post')) {
        if($this->Auth->login()) {
            $this->redirect($this->Auth->redirect());
        } else {
            $this->Session->setFlash('Invalid username or password, try again.');
        }
    }
}

but it's saying "Invalid username or password" every time, and I'm certain it's the correct email/password. I think it's because the AuthComponent doesn't know it should use bcrypt but I'm not sure.

Any suggestions?

I suppose you mean [2.3](http://bakery.cakephp.org/articles/lorenzo/2013/01/28/cakephp_2_3_0_is_out)? — Jelmer, Feb 04 '13 at 19:46
Have you configured your AuthComponent for Blowfish authentication as well? http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html — thaJeztah, Feb 04 '13 at 20:08
Looks like I missed that. I've changed my `$components` declaration to what it says in the cookbook however I'm still getting the invalid username/password message. Here's the relevant code: http://pastebin.com/7EL0p9Bc — James Dawson, Feb 04 '13 at 21:31
@JamesDawson Please update your question with the relevant code , So when Pastebin deletes your code in a year or maybe even in a month, we can still learn from the solution if we have all the relevant stuff on one place :) — Jelmer, Feb 04 '13 at 21:59

score 5 · Accepted Answer · answered Feb 05 '13 at 00:59

Alright I managed to work it out. Here's the relevant code:

In AppController.php:

public $components = array(
    'Session',
    'Auth' => array(
        'authenticate' => array(
            'Blowfish' => array(
                'fields' => array('username' => 'email')
            )
        ),
        'loginRedirect' => array('controller' => 'pages', 'action' => 'home'),
        'logoutRedirect' => array('controller' => 'pages', 'action' => 'home')
    )
);

In User.php:

public function beforeSave($options = array()) {
    if(isset($this->data[$this->alias]['password'])) {
        $this->data[$this->alias]['password'] = Security::hash($this->data[$this->alias]['password'], 'blowfish');
        unset($this->data['User']['passwd']);
    }

    return true;
}

score 0 · Answer 2 · answered Sep 25 '13 at 18:54

0

Why?

unset($this->data['User']['password']);

This will clear the password before saving..

answered Sep 25 '13 at 18:54

skylight

1

score 0 · Answer 3 · edited May 23 '17 at 11:49

0

Relevant subject: CakePHP - How do I implement blowfish hashing for passwords?

plus+ varchar(60) for password db field

edited May 23 '17 at 11:49

Community

1
1

answered Mar 24 '14 at 08:45

Laguna Web Design

332
2
11

Using bcrypt with CakePHP 2.3

3 Answers3