Login [ Auth->identify() ] always false on CakePHP 3

php cakephp authentication login cakephp-3.0
Beto picture Beto · Apr 9, 2015 · Viewed 16.6k times · Source

I started using CakePHP 3 after a time using CakePHP 2 and I am having troubles to create the authentication login.

The new auth function $this->Auth->identify() always return false.

On the database, the password are encrypted perfect and the query who takes the user it's ok too.

My code:

AppController:

[...]
class AppController extends Controller{
    public function initialize(){
        $this->loadComponent('Flash');
        $this->loadComponent('Auth', [
            'loginRedirect' => [
                'controller' => 'Admin',
                'action' => 'index'
            ],
            'logoutRedirect' => [
                'controller' => 'Pages',
                'action' => 'display'
            ]
        ]);
    }

    public function beforeFilter(Event $event)
    {
        $this->Auth->allow(['display']);
    }
}

UserController:

[...]
class UsersController extends AppController{
    public function beforeFilter(Event $event)
    {
    parent::beforeFilter($event);
    $this->Auth->allow(['logout']);
    }
[...]
    public function login()
    {
        if ($this->request->is('post')) {
            $user = $this->Auth->identify();
            if ($user) {
                $this->Auth->setUser($user);
                return $this->redirect($this->Auth->redirectUrl());
            }
            $this->Flash->error(__('Invalid username or password, try again'));
        }
    }
[...]

User (Model Entity):

<?php
namespace App\Model\Entity;

use Cake\Auth\DefaultPasswordHasher;
use Cake\ORM\Entity;

class User extends Entity{
    protected $_accessible = [*];
    protected function _setPassword($password){
        return (new DefaultPasswordHasher)->hash($password);
    }
}

View:

<div class="users form">
<?= $this->Flash->render('auth') ?>
<?= $this->Form->create() ?>
    <fieldset>
        <legend><?= __('Please enter your username and password') ?></legend>
        <?= $this->Form->input('username') ?>
        <?= $this->Form->input('password') ?>
    </fieldset>
<?= $this->Form->button(__('Login')); ?>
<?= $this->Form->end() ?>
</div>

Answer

cs01 picture cs01 · May 3, 2015

CakePHP3 uses a different hashing algorithm by default than 2 (bcrypt vs. SHA1), so you need to make your password length longer. Change your password field to VARCHAR(255) to be safe.

When CakePHP 3 tries to identify your in-memory hashed password from this->Auth->identify() vs. the hashed password in the database, it will never match because some characters are missing. Changing to 255 is more than needed, but can help future proof if an even more secure hash is used in the future. 255 is recommended because the the character count can be stored in one byte.

Related questions

Why is the CakePHP authentication component not hashing my password?

I'm using CakePHP 1.2 with Auth and ACL components. In my user register action, the password is coming in unhashed. Specifically, this expression: if ($this->data['User']['password'] != $this->Auth->password($this->data['User']['confirm_password'])) This …

Read More
SQLSTATE[HY000] [1045] Access denied for user 'username'@'localhost' using CakePHP

I am new to PHP and CakePHP. I am finding problems while wiring my database using CakePHP. Below is my application configuration. I am on Bitnami WAMP stack 5.4.40-0. I am using CakePHP 3.0.4 to create a web MVC application Entry …

Read More
"[notice] child pid XXXX exit signal Segmentation fault (11)" in apache error.log

I am using Apache/PHP/MySQL stack. Using as framework CakePHP. Every now and then I get a blank white page. I can't debug it through Cake, so I peek in the apache error.log and here's what I get: […

Read More