3

I'm trying to implement an phpass authentication in Yii, however it fails everytime. I've been reading many SO articles and haven't found a solution yet, so I'm thinking this must be a Yii specific issue.

In User.php I'm saving the hashed password:

public function beforeSave() {
    $phpass = new PasswordHash(8, false);
    $hash = $phpass->HashPassword($this->user_pass);
    $this->user_pass = $hash;
    return true;
}

In UserIdentity I'm checking the password:

public static function isPasswordValid($plainPass, $hashedPass) {
    $phpass = new PasswordHash(8, false);
    $isValid = $phpass->CheckPassword($plainPass, $hashedPass);


    if($isValid){
        return true;
    }

    return false;
}

$hashedPass is coming out of the db, plainPass is what user just entered into the form but $isValid returns false all the time. Infact I pulled out the hashed password out of the database and I applied it manually and it still fails:

$isValid = $phpass->CheckPassword('password', '$2a$08$P9X8duz7S8LOysz1XIn3fe/YYW3dwAs2busSBIX/QnZhKH/R9/H1S')

I've checked to make sure the hashed password is not truncated in the database on insert and it is not... I have adjusted my password field to varchar 60 as per another SO article and that hasn't helped...

EDIT: It seems that if I manually paste the hash into the database field, the authentication works after generating it via:

echo $phpass->HashPassword('password');
keeg
  • 3,990
  • 8
  • 49
  • 97

1 Answers1

3

The problem might be in beforeSave. You hash user_pass each time you save user. If you save user twice, your password will be hashed twice, thus useless.

I use phpass with yii without the problem, however i only hash password if its manually set by user.

Try to hash password only if user modify/set it.

  • 1
    You are right... The `beforeSave` was the issue, I wrapped it in `$this->scenario == 'register'` and it works perfectly now – keeg Feb 05 '13 at 18:52
  • Good idea of using scenarios for this case –  Feb 05 '13 at 20:56