CakePHP - How do I implement blowfish hashing for passwords?

cakephp cakephp-2.0 blowfish cakephp-2.4
BadHorsie picture BadHorsie · Jan 14, 2014 · Viewed 11.4k times · Source

Struggling to find answers to a few basic questions about using Blowfish in Cake 2.4.

AppController.php

public $components = array(
    'Auth' => array(
        'authenticate' => array(
            'Form' => array(
                'fields' => array(
                    'username' => 'email'
                ),
                'passwordHasher' => 'Blowfish'
            )
        )
    ),
    'Cookie',
    'Session'
);

What now? How do I log in?

UsersController.php

public function login() {

    if (!empty($this->request->data)) {

        if ($this->Auth->login()) {
            $this->redirect($this->Auth->redirectUrl());
        }

    }
}

What do I need to add to this? I'm getting the following error if I try to log in:

Warning (512): Invalid salt: for blowfish Please visit http://www.php.net/crypt and read the appropriate section for building blowfish salts. [CORE/Cake/Utility/Security.php, line 285]

Do I need to salt the password before attempting login, and if so, which method do I use and what is the best thing to use for the salt? Does Cake automatically try to use the salt from the core.php config file for all users?

I'm confused mainly because I don't know which parts of using blowfish in a standard PHP way CakePHP is trying to do automatically for me.

Answer

Martin Bean picture Martin Bean · Jan 14, 2014

You can’t use Blowfish if you already have a database filled with passwords hashed using another method. If so, they won’t be valid Blowfish-hashed passwords and you’ll get the error above.

In terms of implementing Blowfish for password hashing in a CakePHP application, the Cookbook has a dedicated section on using bcrypt (Blowfish) in authentication: http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#using-bcrypt-for-passwords

You set up the components array as you have done:

<?php
class AppController {

    public $components = array(
        'Auth' => array(
            'authenticate' => array(
                'Form' => array(
                    'passwordHasher' => 'Blowfish'
                )
            )
        )
    );
}

Then to generate a password you would use the password hasher class in a model. For example, a User model:

<?php
App::uses('BlowfishPasswordHasher', 'Controller/Component/Auth');

class User extends AppModel {

    public function beforeSave($options = array()) {
        // if ID is not set, we're inserting a new user as opposed to updating
        if (!$this->id) {
            $passwordHasher = new BlowfishPasswordHasher();
            $this->data[$this->alias]['password'] = $passwordHasher->hash($this->data[$this->alias]['password']);
        }
        return true;
    }
}

Then to authenticate you don’t really need to do anything, as CakePHP’s authentication handler will do the password comparing for you:

<?php
class UsersController extends AppController {

    public function login() {
        if ($this->request->is('post')) {
            if ($this->Auth->login()) {
                return $this->redirect($this->Auth->redirectUrl());
            } else {
                $this->Session->setFlash( __('Username or password incorrect'));
            }
        }
    }
}

And that’s all there is to it.

Related questions

Efficient way to Pass variables from PHP to JavaScript

From time to time I have to pass some variables from PHP to JS script. For now I did it like this: var js-variable = "<?php echo $php-variable; ?>"; But this is very ugly and I can't hide my JS …

Read More
Loading Vendor Files in CakePHP 2.0

I'm currently upgrading one of our projects to CakePHP 2.0. Unfortunately the "first line" of code makes problems, and I can't find a solution to that problem. In CakePHP 1.3 I had an App::import("Vendor", "facebook"); statement right before the AppController …

Read More
CakePHP 2.0 - How to make custom error pages?

I read that the AppError class is now for backwards compatibility and that Exceptions should be used instead. How does one go about creating custom error pages for things like 404 errors, or completely custom errors?

Read More