0

I need help on migrating users from a website built using Symfony2 to Silverstripe 3.

I got a table of users from a symfony built website with sha1 hashed passwords and salts. I want to import the users to a freshly setup Silverstripe 3 website. I tried to insert a sample entry to SS3s Member table by manually inserting the hashed password, the salt and changed the password encryption algorithm to sha1 but it didn't work. I also tried using Security::set_password_encryption_algorithm in my _config.php to override the password encryption from blowfish to sha1 but it doesn't seem to change the password algorithm.

I really need help on this since I only have a few days left to deliver the project. Any ideas on how I should do the migration?

halfer
  • 19,824
  • 17
  • 99
  • 186
Sktzoootech
  • 21
  • 4

2 Answers2

1

The symfony2 password encryption does encrypt the password + hash not only once but many times (The default is 5000). Symfony also concatenates the password and the hash like this:

$password . '{' . $salt . '}'

You would need to either reproduce this technique in silverstripe 3 or use the symfony encryption in your Silverstripe 3 application. You can have a look at the implementation when looking at Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder.

Another method would be to reset each password and send an email to every user once the new application is live so the user can add his password. You would not need to migrate the password in this case, which might work better in the long run.

Sgoettschkes
  • 13,141
  • 5
  • 60
  • 78
  • I was able to change the password encryption algorithm to "sha1" unfortunately it still doesn't work because symfony uses the following pattern $salt.$password while SS3 uses the following $password.$salt. Im still figuring out how I can switch the position of the salt and password without hacking the SS3 core. BTW, thanks for the input. – Sktzoootech Dec 29 '12 at 12:27
0

You can create your own password "encryptor" classes (not 100% correct naming...) in SS for that. I've had a look at the SF2 implementation, here's an untested starting point. It doesn't check for curly braces in salts.

    <?php
class PasswordEncryptor_Symfony2 extends PasswordEncryptor {
    protected $algorithm = 'sha512';
    protected $iterations = 5000;
    protected $encodeHashAsBase64 = true;
    public function encrypt($password, $salt = null, $member = null) {
        $salted = $password . '{' . $salt . '}';
        $digest = hash($this->algorithm, $salted, true);
        for ($i = 1; $i < $this->iterations; $i++) {
            $digest = hash($this->algorithm, $digest.$salted, true);
        }

        return $this->encodeHashAsBase64 ? base64_encode($digest) : bin2hex($digest);
    }
}

You'll need to register this class via the YML config, in mysite/_config/encryptors.yml:

PasswordEncryptor:
  encryptors:
    symfony2:
      PasswordEncryptor_Symfony2:

And set it as the default (if so desired) in mysite/_config.php:

Security::set_password_encryption_algorithm('symfony2');

In order to ensure existing hashes migrated from SF2 will be checked with this class, you need to set the PasswordEncryption column in the Member table to "symfony2" (each member has its used encryptor alias set individually to allow for these types of migrations). So any new users created in SS could still use the default SS password hashing ("blowfish" alias).

Ingo Schommer
  • 716
  • 4
  • 5