禁用安全盐在AuthComponent中的普通MD5散列? [英] Disabling Security Salt for plain MD5 hashing in AuthComponent?

查看:148
本文介绍了禁用安全盐在AuthComponent中的普通MD5散列?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我的CakePHP 2.1应用程序与其他应用程序共享其用户数据库表。为了使用户能够登录到这两个应用程序,密码字段需要在纯MD5中进行散列。更改其他应用程序或数据库不是一个选项。

My CakePHP 2.1 app shares its user database table with another app. In order for users to be able to login into both applications, the password field needs to be hashed in plain MD5. Changing the other app or the database is not an option.

我可以通过以下方式将哈希算法从SHA1(默认?)更改为MD5: p>

I am able to change the hashing algorithm from SHA1 (the default?) to MD5 by the following:

<?php
// AppController.php

public function beforeFilter()
{
    Security::setHash('md5');
}
?>

我可以使用MD5密码向系统添加新用户:

And I can add new users to the system with plain MD5 passwords:

<?php
// User.php

public function beforeSave()
{
    if (isset($this->data['User']['password']))
    {
        $this->data['User']['password'] = Security::hash($this->data['User']['password'], 'md5', false);
    }
}
?>

请注意, false code> Security :: hash 告诉Cake不要使用安全盐的密码。

Note that the false boolean parameter for Security::hash tells Cake not to use the Security Salt on the password.

验证出现问题。当我通过 $ this-> Auth-> login()使用表单身份验证登录用户时,我相信 AuthComponent 仍然使用MD5散列来验证密码,但是它仍然应用安全盐。

The problem arises with authentication. When I login users through $this->Auth->login() using Form authentication, I believe AuthComponent still uses MD5 hashing to verify the password, but it is still applying the Security Salt on top of that.

这个问题的唯一方法是设置安全盐和cipherSeed作为空字符串:

The only way around this problem is to either set the Security salt and cipherSeed as empty strings:

<?php

// core.php
Configure::write('Security.salt', '');
Configure::write('Security.cipherSeed', '');

?>

...或者只是注释掉。

...or to just comment them out.

有没有办法告诉 $ this-> Auth-> login()忽略安全盐,而不必从 core.php 。我仍然想在其他地方使用 AuthComponent :: password()的散列函数。

Is there any way to tell $this->Auth->login() to ignore the Security salt without having to remove them from core.php. I would still like to use the hashing functionality of AuthComponent::password() elsewhere.

推荐答案

您可以通过将正确的用户传递到Auth-> login()function:

You could do the login manually by passing the correct user to the Auth->login() function:

$username = $this->request->data['User']['username'];
$password = Security::hash($this->data['User']['password'], 'md5', false);

$user = $this->User->find('first', array('conditions' => array('username' => $username, 'password' => $password)));
if($user !== false)
{
    $this->Auth->login($user['User']);
}

这篇关于禁用安全盐在AuthComponent中的普通MD5散列?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆