{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 ら.Afraid 的问题《Cakephp 3.0 alpha2 How to compare new password to》','https://www.manongdao.com/q-1088804.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Okay, so I am testing out Cakephp 3.0 alpha2 by transferring my application(2.5) to 3.x. My current application has it set up so that when you reset your password you cannot change it to any of the previous six passwords(stored in a passwords table that connects it by the user_id) for security purposes. As I look at the changes in Cake 3.0, I noticed that if you create a new entity that the password hashes differently even if it is the same password. What would be a good way to compare the new password to the old ones? Would I go about using the password hasher built in function called check?
相关问题
- Views base64 encoded blob in HTML with PHP
- Laravel Option Select - Default Issue
- PHP Recursively File Folder Scan Sorted by Modific
- Can php detect if javascript is on or not?
- Using similar_text and strpos together
CakePHP 3 uses bcrypt. In brief: bcrypt uses a different salt for each password, and stores the salt as part of the password hash. That is why, as you've found, bcrypt will generate a different hash each time the same plain-text password is encrypted.
However, if it's to be of any use as an authentication system, you have to be able to check if a plain-text password 'fits' for a given hashed version of that password - even though there's not one single 'correct' hashed version, right? Right.
You do this with the
password_verifymethod - http://au2.php.net/password_verifySo, rather than hashing the plain-text version and seeing if the hashed version of the new password matches the hashed versions of each of the past 6 versions, you have to call
password_verifyon the plain-text password 6 times - once for each of the previous hashed passwords, to see if there are any matches.There's a good explanation of bcrypt in php here: How do you use bcrypt for hashing passwords in PHP? I'd recommend reading that - once you understand how bcrypt treats passwords, your problem shouldn't be too hard to solve.