0

I did a simple command in symfony to take a value from the console and encode it:

$io = new SymfonyStyle($input, $output);
$email = $input->getArgument('email');

/** @var User $user */
$user = $this->em->getRepository(User::class)->findOneBy([
    'email' => $email
]);

if (empty($user)) {
    $io->error("User with email '$email' not found");
    return 0;
}

$password = $io->askHidden('Password: ');
$hash = $this->encoder->encodePassword($user, $password);

$io->text("Generated hash: $hash");

Security config fragment:

security:
    encoders:
        App\Entity\User:
            algorithm: bcrypt

    providers:
        app_user_provider:
            entity:
                class: App\Entity\User
                property: email

Is it okay that each call for the same entered value generates a different value? How is it possible to verify when accessing that the passwords are the same if for equal values it generates a different encoding?

Conde
  • 785
  • 15
  • 31
  • 1
    That is a works as designed. Part of hashing a password is generating a random salt. The salt is stored along with the hash and is used by the verification process. Each time you create a new hash you get a different salt hence the value is different. PHP functions [password_hash](https://www.php.net/manual/en/function.password-hash.php) and password_verify are ultimately used by the Symfony wrappers. It's worthwhile reading the docs and maybe doing some testing to convince yourself that even if you have two different values, they can still securely verify the same password. – Cerad Sep 05 '20 at 15:19
  • 1
    And to answer your final question: $encoder->isPasswordValid($hash,$raw) will do the verification. Lots of examples out there. – Cerad Sep 05 '20 at 15:28
  • Thank you very much @Cerad. If you answer I accept your answer. What is happening to me is that at a certain moment (days after the users have registered and accessed) the password verification (`$encoder->isPasswordValid ($hash, $raw)`) returns false and that is driving me crazy. Do you have any idea what it might be? – Conde Sep 05 '20 at 15:41
  • There is a rehashing subsystem that occasionally rehashes a password. No idea if your app uses it or not. But even that should not impact anything. I would look at my older database backups and see if the hash value itself has changed. Never heard of a case when the same hash would suddenly stop validating. What Symfony versions are you using? – Cerad Sep 05 '20 at 16:17
  • @Cerad I am using version 4.4 – Conde Sep 05 '20 at 17:57
  • can you show when/where you're storing the new password and where you check the password – Jakumi Sep 05 '20 at 22:43

0 Answers0