Answer the question
In order to leave comments, you need to log in
User passwords after migration from yii?
Good afternoon, you need to solve the following problem:
There was a site on yii, during its existence many active users appeared who I would not want to lose. Since the site was not what it was for a long time, I had to rewrite it but already in regular php.
And all would be fine, the whole problem happened with the fact that user passwords are stored in an encrypted hash.
How can you repeat this password encryption algorithm in classic php so that users can log in without changing passwords?
Answer the question
In order to leave comments, you need to log in
Yii uses the blowfish hashing algorithm. To get a hash using this algorithm in php, you just need to take the crypt function and pass the salt as the second argument in the format $2a$13$6abRKtrd12bvkltrfsorbd
where
$2a$ (can also be $2x$ or $2y$) indicates the blowfish algorithm.
13 - the complexity of the algorithm, can be from 04 to 31. The larger the number, the longer the hash will be calculated.
6abRKtrd12bvkltrfsorbd - 22 characters for salt.
You can check the hash against the password using the password_verify function . Take the hashes that Yii generated for you and pass it to the password_verify function and everything will work for you, no problem. I left with these hashes from Yii to node.js, no problem :)
Anything below is not readable. There for those who are wondering where 3 different prefixes came from ($2a$, $2x$, $2y$).
The $2y$ and $2x$ prefixes only exist in PHP, as they screwed up the blowfish algorithm in versions prior to 5.3.7. The $2x$ prefix has been added for backwards compatibility, i.e. if you generated $2a$ hashes in a PHP version prior to 5.3.7 and have now upgraded to or higher than that version and want your already existing vulnerable hashes to continue to work correctly, you should have changed the $2a$ hash prefix to $2x for those hashes $. The $2y$ prefix is a fixed hashing algorithm and is no different from $2a$ in PHP 5.3.7 and higher. You can read more about all this at php.net/security/crypt_blowfish.php
Yii uses the $2y$ prefix. But in the specification, of all these prefixes, there is only $2a$ and it should be used if you have a version higher than or equivalent to PHP 5.3.7. So, if you got rid of Yii, you can also change the prefix of your hashes. Because when I migrated to node.js, the library for blowfish hashing naturally did not support any $2y$ and $2x$ and was not going to do this in the future, since these are not their bugs, but PHP, so let PHP with these prefixes and lives :)
Good evening.
In the sense of "quiet horror" according to the documentation?
And on the topic, if you are not able to deal with the documentation, you can do this:
1) Transfer users to a new database
2) Generate a new password
3) And then
a) send a new password with a recommendation to change it immediately
b) send a link to change the password , protect with a token
Something like this.
You need to implement the password hashing algorithm from Yii into the system. You can see it in the source .
public static function hashPassword($password,$cost=13)
{
self::checkBlowfish();
$salt=self::generateSalt($cost);
$hash=crypt($password,$salt);
if(!is_string($hash) || (function_exists('mb_strlen') ? mb_strlen($hash, '8bit') : strlen($hash))<32)
throw new CException(Yii::t('yii','Internal error while generating hash.'));
return $hash;
}
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question