Why is the password_verify function buggy?

M

Mikhail Smirnov2016-09-05 19:04:36

Yii

Mikhail Smirnov, 2016-09-05 19:04:36

Hello!
for some reason, the password_verify function does not work correctly
code examples:
creating a hash in the beforeValidate method:

if(in_array($this->scenario, ['userCreate','singUp'])) {
                $this->password_hash = $this->setPassword($this->password);
  }

method $this->setPassword

public function setPassword($password)
    {
        return $this->password_hash = Yii::$app->security->generatePasswordHash($password,5);
    }

in general, a password hash of 12345678 ($2y$05$WjKwE1MiWPyPFghASGGcdupFqfcUHchkb2y/rwTiCWe40iIbqyxKq) is created and written to the database
after we check the password:

public function validatePassword($attribute, $params)
    {
        if (!$this->hasErrors()) {
            $user = $this->getUser();

            if (!$user || !$user->validatePassword($this->password)) {
                $this->addError($attribute, 'Неправильный логин или пароль.');
            }
        }
    }
//метод validatePAssword
public function validatePassword($password)
    {
        return Yii::$app->security->validatePassword($password, $this->password_hash);
    }

the password_hash of the found user contains the cache generated above and the password 12345678
, but as a result, the password_verify function in the Yii::$app->security->validatePassword method returns false
, and I also tried to check the hash immediately after creation in the setPassword method before writing to the database - validation passes, but then this hash does not pass through the password 12345678

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

M

Melkij, 2016-09-05
@fortoster83

php > var_dump(password_verify(null, '$2y$05$WjKwE1MiWPyPFghASGGcdupFqfcUHchkb2y/rwTiCWe40iIbqyxKq'));
bool(true)
php > var_dump(password_verify('', '$2y$05$WjKwE1MiWPyPFghASGGcdupFqfcUHchkb2y/rwTiCWe40iIbqyxKq'));
bool(true)

Check what exactly you are getting the hash from. And when you receive it. Somewhere there, the password itself is lost and an empty string remains.

C

Cat Anton, 2016-09-05
@27cm

in general, a password hash of 12345678 is generated ($2y$05$WjKwE1MiWPyPFghASGGcdupFqfcUHchkb2y/rwTiCWe40iIbqyxKq)

This is apparently a hash of some other password:

<?php $password = '12345678';
 
var_dump(password_verify($password, '$2y$05$WjKwE1MiWPyPFghASGGcdupFqfcUHchkb2y/rwTiCWe40iIbqyxKq'));
// bool(false)

var_dump(password_verify($password, password_hash($password, PASSWORD_DEFAULT, ['cost' => 5])));
// bool(true)

https://ideone.com/suj3Rq

D

Dmitry, 2016-09-05
@slo_nik

Good evening.
What do you want to achieve in the beforeValidate() method?
In the first validatePassword(), as I understand it in the LoginForm model, it is not necessary to pass parameters.

public function validatePassword()
    {
        if (!$this->hasErrors()) {
            $user = $this->getUser();

            if (!$user || !$user->validatePassword($this->password)) {
                $this->addError('password', 'Неправильный логин или пароль.');
            }
        }
    }

Try to remove beforeValidate(), I think that's the problem.
p.s. Use $this->setPassword() when registering a user