1

We have a Wordpress site which we are going to gradually rebuild using the cakePHP framework. We will replace different parts of the Wordpress site incrementally, so we need to implement some sort of single sign on to allow authorization across both frameworks during the time while both frameworks are running side by side.

We have a pretty good strategy for how to do this. In short, we will duplicate all user rows in two different tables: one table for Wordpress (wp_users) and a different table for Cake (users). [More details outlined here (in case you're interested).]

This means when we create a user in Wordpress or Cake, we create the same user in the other table as well. This is "mostly harmless"...

We are struggling with the different password hashing strategies between Wordpress and Cake. In order to save the same user password in both tables, we need to figure out how to hash it so that each respective framework can check it.

Wordpress uses a pretty advanced hashing algorithm: PHPass. Cake (by default) seems to offer a choice of more traditional algorithms: SHA1, md5, blowfish... with optional salting.We're stuck on the fact that Wordpress generates/emails a default password to new users and then immediately saves a hashed version in the DB. This hashed version of the password is pretty useless to cake, unless we can figure out how to replicate all of the Wordpress authorization protocols (which seems somewhat daunting for new Cake users).

Is there an elegant solution to this problem?

Community
  • 1
  • 1
emersonthis
  • 32,822
  • 59
  • 210
  • 375

1 Answers1

0

I would suggest to keep user management centralised in either Wordpress or CakePHP until the migration to CakePHP is completed.

As of CakePHP 2.3, bcrypt/blowfish is officially supported for hashing passwords; http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#using-bcrypt-for-passwords

However, if you already have your Single-Sign on working, why not leave the password syncing for the time being? Once migration to CakePHP is complete, consider the following options;

  • Send an email to all users containing a unique link to reset their password; resetting the password will actually create a hashed password in CakePHP and enable the new account. The unique links should be invalidated after that (also make sure that the link will expire after a certain period anyway)
  • Because both CakePHP and PHPass use bcrypt/blowfish, you may be able to copy the hashed passwords to CakePHP when migration is completed. However, you will need to determin 'how' PHPass passwords and salts are stored (separate fields? single field with a delimiter?). You may have to write your own Authorize Object that will pick the right 'salt' from the database
thaJeztah
  • 27,738
  • 9
  • 73
  • 92
  • The second bullet point in your answer speaks more to what I'm trying to figure out. It's an interesting observation about the overlap between CakePHP and PHPass (bcrypt/blowfish), but I'm not sure how to use that information. – emersonthis Apr 02 '13 at 23:30
  • FWIW, here is the class that WordPress uses to hash passwords, using the `HashPassword()` method: http://core.trac.wordpress.org/browser/trunk/wp-includes/class-phpass.php – doublesharp Apr 03 '13 at 03:51