Password hashed twice?

Question

I try tutorial Simple Acl controlled Application from CakePHP website and I have problem with hashing password.

My tables are:

CREATE TABLE users (
id INT(11) NOT NULL AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(255) NOT NULL UNIQUE,
pwd CHAR(40) NOT NULL,
group_id INT(11) NOT NULL

);

CREATE TABLE groups (
id INT(11) NOT NULL AUTO_INCREMENT PRIMARY KEY,
name VARCHAR(100) NOT NULL

);

And in model User.php I have:

public function beforeSave($options = array()) {
  $this->data['User']['pwd'] = AuthComponent::password($this->data['User']['pwd']);
  return true;
}

If I click on website on Edit User and then Submit, pwd is hashed again. How can I fix that?

I try from this forum:

public function beforeSave($options = array()) {
  if(!empty($this->data['User']['pwd'])) {
    $this->data['User']['pwd'] = AuthComponent::password($this->data['User']['pwd']);
  } else {
      unset($this->data['User']['pwd']);
    }
  return true;

}

But it is not working.

My edit.ctp:

<div class="users form">
<?php echo $this->Form->create('User'); ?>
<fieldset>
    <legend><?php echo __('Edit User'); ?></legend>
<?php
    echo $this->Form->input('id');
    echo $this->Form->input('username');
    echo $this->Form->input('pwd');
    echo $this->Form->input('group_id');
?>
</fieldset>
<?php echo $this->Form->end(__('Submit')); ?>
</div>
<div class="actions">
<h3><?php echo __('Actions'); ?></h3>
<ul>

    <li><?php echo $this->Form->postLink(__('Delete'), array('action' => 'delete', $this->Form->value('User.id')), null, __('Are you sure you want to delete # %s?', $this->Form->value('User.id'))); ?></li>
    <li><?php echo $this->Html->link(__('List Users'), array('action' => 'index')); ?></li>
    <li><?php echo $this->Html->link(__('List Groups'), array('controller' => 'groups', 'action' => 'index')); ?> </li>
    <li><?php echo $this->Html->link(__('New Group'), array('controller' => 'groups', 'action' => 'add')); ?> </li>
</ul>

And add.ctp:

<div class="users form">
<?php echo $this->Form->create('User'); ?>
<fieldset>
    <legend><?php echo __('Add User'); ?></legend>
<?php
    echo $this->Form->input('username');
    echo $this->Form->input('pwd');
    echo $this->Form->input('group_id');
?>
</fieldset>
<?php echo $this->Form->end(__('Submit')); ?>
</div>
<div class="actions">
<h3><?php echo __('Actions'); ?></h3>
<ul>

    <li><?php echo $this->Html->link(__('List Users'), array('action' => 'index')); ?></li>
    <li><?php echo $this->Html->link(__('List Groups'), array('controller' => 'groups', 'action' => 'index')); ?> </li>
    <li><?php echo $this->Html->link(__('New Group'), array('controller' => 'groups', 'action' => 'add')); ?> </li>
</ul>

Have a look on the topic with the similar problem: [authentication hashing issue][1] [1]: http://stackoverflow.com/questions/617471/why-is-the-cakephp-authentication-component-not-hashing-my-password — user3052471, Nov 30 '13 at 16:55
What version of CakePHP? What does your form look like? Is the password field populated w/ the data from the database? — Dave, Nov 30 '13 at 17:07
You still haven't answered Dave's question about populatting form field with data. If your pwd field is populated with data then you will get that field hashed twice. So you have to figure out if you want to clear that field before sending data to view and decide whether you want to save form only if the password is entered or it can be blank. A lot of choices. — skywalker, Nov 30 '13 at 21:57
Yes, if I click on Edit, in pwd field is hash password as ******************. — user3027356, Dec 01 '13 at 10:43
If you can't find any solution, Saperate The form `Edit user details` and `change password` . In that way you password won't being hashed twice. And allow to change password with one field is not good practice... — karmicdice, Dec 02 '13 at 11:33
possible duplicate of [Is "double hashing" a password less secure than just hashing it once?](http://stackoverflow.com/questions/348109/is-double-hashing-a-password-less-secure-than-just-hashing-it-once) — jww, Oct 12 '14 at 01:46

score 0 · Answer 1 · answered Nov 30 '13 at 20:23

0

Remove AuthComponent password from before save. You can use it when saving a user.

If you put it in beforeSave method it will trigger everytime you add, edit, update and delete.

answered Nov 30 '13 at 20:23

Mir Adnan

844
11
24

1

This doesn't make sense. That's how he's hashing the password. (and `beforeSave()` does not trigger when you delete) – Dave Nov 30 '13 at 21:00
Yes, if I click on Edit, in pwd field is hash password as ******************. – user3027356 Dec 01 '13 at 10:44

score 0 · Accepted Answer · answered Dec 03 '13 at 10:38

0

Thank you for help. Finally solved by this:

https://groups.google.com/forum/#!msg/cake-php/sJLi4lCqgog/2X9VpzqWs-0J

answered Dec 03 '13 at 10:38

user3027356

129
1
1
7

Manuel Ro · Answer 3 · 2014-05-22T20:39:04.373

Compare the hashes:

You can compare the hash saved in the database against the text in the password field. If you haven't touch the password (changed the password field), the hashes should match. Let's say your saved hash is xyz, and the hash loaded in the password hash is still untouched, xyz; in this case you don't have to rehash anything, and the hashes should remain the same.

In the other case, let's say your saved hash is xyz, but you edited the password html field to be abc; in this case you will have to rehash the new password (abc) and then replace the old one you have in the database record.

All of this can be translated in code as follows:

public function beforeSave($options = array()) {

    if (isset($this->data[$this->alias]['password'])) {

        if(isset($this->data[$this->alias]['id'])) {
            $id = $this->data[$this->alias]['id'];
            $user = $this->findById($id);
        } else {
            $id = false;
        }

        if(!$id || $this->data[$this->alias]['password'] != $user['User']['password']) {
            $passwordHasher = new SimplePasswordHasher();
            $this->data[$this->alias]['password'] = $passwordHasher->hash(
                $this->data[$this->alias]['password']
            );
        }

    }

    return true;
}

Regards, M

Password hashed twice?

3 Answers3