My CakePHP 2.1 app shares its user database table with another app. In order for users to be able to login into both applications, the password field needs to be hashed in plain MD5. Changing the other app or the database is not an option.

I am able to change the hashing algorithm from SHA1 (the default?) to MD5 by the following:

<?php
// AppController.php

public function beforeFilter()
{
    Security::setHash('md5');
}
?>

And I can add new users to the system with plain MD5 passwords:

<?php
// User.php

public function beforeSave()
{
    if (isset($this->data['User']['password']))
    {
        $this->data['User']['password'] = Security::hash($this->data['User']['password'], 'md5', false);
    }
}
?>

Note that the false boolean parameter for Security::hash tells Cake not to use the Security Salt on the password.

The problem arises with authentication. When I login users through $this->Auth->login() using Form authentication, I believe AuthComponent still uses MD5 hashing to verify the password, but it is still applying the Security Salt on top of that.

The only way around this problem is to either set the Security salt and cipherSeed as empty strings:

<?php

// core.php
Configure::write('Security.salt', '');
Configure::write('Security.cipherSeed', '');

?>

...or to just comment them out.

Is there any way to tell $this->Auth->login() to ignore the Security salt without having to remove them from core.php. I would still like to use the hashing functionality of AuthComponent::password() elsewhere.

What is the safest and most secure way to address this problem?