Zend_Auth_Adapter_DbTable and PHP crypt

Question

I am hashing my passwords in a Zend php application using PHP crypt(). However, I can't think of a solution for using this hash with Zend_Auth_Adapter_DbTable. Assuming I have a password hash stored after being run with crypt()...

    //Salt and hash...
    $salt = '$2a$07$'.$this->getSalt();
    $data['password'] = crypt($user_object->password, $salt);
    $this->_db_table->insert($data);

    //Authentication...
    $dbAdapter = Zend_Db_Table::getDefaultAdapter();
    $authAdapter = new Zend_Auth_Adapter_DbTable($dbAdapter);
    $authAdapter->setTableName('users')
                ->setIdentityColumn('username')
                ->setCredentialColumn('password')
                //Now what? Possibly...
                ->setCredentialTreatment(/* But how? */);

How can I use the Zend_Auth_Adapter_DbTable table object with this kind of salting and hashing strategy? I've looked around, but can't really find any solutions outside of MD5 and SHA type hashing...

score 1 · Answer 1 · answered Sep 14 '12 at 01:57

1

If you are storing the Salt in the user table, you should create your own adapter

If you have the salt somewhere else you just need to encrypt the password and then just pass it to the adapter with

$authAdapter->setCredential($cryptedPassword);

I have the same issue a couple of weeks ago, i ended up creating my own adapter, extending Zend_Auth_Adapter_DbTable

I actually backported the ZF2 Bcrypt lib but you should be able to use it with crypt method.

Take a look if you want AuthAdapter-DbTableBcrypt

answered Sep 14 '12 at 01:57

Jean Paul Rumeau

343
4
16

1

I believe $authAdapter->setCredential($cryptedPassword) won't work as the hash will actually look different every time, that's one advantage of crypt vs. MD5. You actually have to have the adapter use the crypt function to run the algorithm and determine they both jive... I've ended up writing my own adapter, will post it. – bristophocles Sep 14 '12 at 03:03
Let me correct myself, the advantage over MD5 is NOT storing the salt in the table with the password. This method would defeat this advantage. – bristophocles Sep 14 '12 at 03:12

score 1 · Answer 2 · answered Sep 14 '12 at 03:05

So I wrote my own adapter to overcome this. Just include the file, pass it to a Zend_Auth adapter authenticate function with the details (Here I am using a login with email and a password):

class User_Authenticate_Adapter implements Zend_Auth_Adapter_Interface {
  protected $_username;
  protected $_password;

  public function __construct($email, $password) {
    $this->_email = $email;
    $this->_password = $password;
  }
  public function authenticate() {

    $dbTable = new Application_Model_DbTable_User();
    $select = $dbTable->select()->where('email = ?', $this->_email);
    $row = $dbTable->fetchRow($select);

    if($row == null) {
        return new Zend_Auth_Result(Zend_Auth_Result::FAILURE_IDENTITY_NOT_FOUND,$this->_email);
    }
    $data = $row->toArray();
    if(!crypt($data['password'], $this->_password)) {
        return new Zend_Auth_Result(Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID,$this->_email);
    }
    else {
        return new Zend_Auth_Result(Zend_Auth_Result::SUCCESS);
    }

  }
}

Hope that helps somebody.

you could remove username and password properties. Just use `$select = $dbTable->select()->where( $this->_identityColumn.' = ?', $this->_identity);` — traditional, May 10 '13 at 18:46

score 0 · Answer 3 · answered Jul 11 '13 at 06:59

get the password before and use it as a salt in crypt function

$dbUser = new Application_Model_DbTable_User;
$data = $dbUser->fetchRow(array("username = ?" => $_POST["username"]));
$cryptedPassword = $data->password; // here is the salt

$authAdapter->setIdentity($_POST["username"])
            ->setCredential(crypt($_POST["password"], $cryptedPassword));

Zend_Auth_Adapter_DbTable and PHP crypt

3 Answers3