Check bcrypt passwords always fails Phalcon php

Question

I have a little issue with checking bcrypted passwords with Phalcon php. What I have is : Login script where I check the password

$username = $this->request->getPost('username', 'string');
            $password = $this->request->getPost('password', 'string');
            $conditions = "Username = :username:";
            $parameters = array (
                "username" => $username
            );

            $user = Users::findFirst(array($conditions, 'bind' => $parameters));
            //check if user exists
            if (count($user) > 0 && $user !== false) {

                if ($this->security->checkHash($password, $user->Password))  //always fails {
                    //login 
                    $this->session->set('username', $user->Password);
                    $this->response->redirect('index');

                }

In my Registration I have :

$name = $this->request->getPost('name', 'string');
            $lastName = $this->request->getPost('lastName', 'string');
            $username = $this->request->getPost('username', 'string');
            $password = $this->request->getPost('password', 'string');
            $email = $this->request->getPost('email', 'email');

            $user = new Users(); //model
            $user->Name = $name;
            $user->LastName = $lastName;
            $user->Username = $username;
            $user->Password = $this->security->hash($password);
            $user->Email = $email;
            if ($user->save() == true) {
                //registered
            } else {
                //error
            }

It seems like I am doing everything accordind to the documentation but it doesn't seem to work. Could anybody help me please.

Did you, out of interest, trace down what is the stored password in your database, what you receive in `$user->Password` and what does `$this->security->hash($password);` produce if you try hashing the received password again? Do they match? — Ian Bytchek, May 03 '14 at 11:47
Also, are you sure you want to setting the right thing here? `$this->session->set('username', $user->Password);` — Ian Bytchek, May 03 '14 at 11:48
I have a user with a password 'jt26' in database. I have tried calling die($this->security->hash('jt26')); in my contoller to see the password. It produces different string each and every time.Should it be like that? — Andriy Haydash, May 03 '14 at 12:54
Very often the database field holding the BCrypt hash is too small, it should be able to store a 60 character string. — martinstoeckli, May 03 '14 at 21:18
For me, Phalcon also produces different hash results for the same password. Please let me know if what I'm missing. — Tuyen Nguyen, Jul 16 '14 at 16:50

score 0 · Answer 1 · edited May 23 '17 at 11:59

0

In your database the stored password must be the encrypted value of jt26, i.e., the product of $this->security->hash('jt26'). Probably you stored the password first and then implemented the register / login function. Just replace jt26 in your database with the string generated by $this->security->hash('jt26') and everything should start working.

It produces different string each and every time.Should it be like that?

Yes, that's exactly what it should do. See this for details. The salt is always randomly generated (unless provided), based on which the hash is generated. When verifying the password, Bcrypt uses salt to regenerate the hash and then checks that it matches.

edited May 23 '17 at 11:59

Community

1
1

answered May 03 '14 at 13:12

Ian Bytchek

8,804
6
46
72

1

I haven't inserted the password first. I have done it with the registration script that I provided above. I have done it according to the documentation and it doesn't work. There is probably a silly issue but I can't spot it. – Andriy Haydash May 03 '14 at 13:23
Did you try creating a new user? If everything works as you described, before doing `$user->save()` the value of `$user->Password` must be a valid hash and if user saves successfully, the value in your db must also be that same valid hash, not `jt26`. Either you did something wrong before, or you doing something else, which results in a different value being stored in your db. – Ian Bytchek May 03 '14 at 13:39

Check bcrypt passwords always fails Phalcon php

1 Answers1