0

I am using this to hash passwords: https://github.com/ircmaxell/password_compat

$hash = password_hash($pass1, PASSWORD_BCRYPT, array("cost" => 16));

 if (password_verify($password, $hash)) {
        /* Valid */
    } else {
        /* Invalid */
    }

It works. It hashed passwords. But I dont know how to verify the password in the login page. I have tried with seesions but it doesnt work with sessions too.

Tolga Kantarov
  • 35
  • 6
  • What is `$password` and `$pass1`? – ʰᵈˑ Feb 03 '16 at 12:18
  • 2
    Pull the hashed password from the database, use `password_verify($submittedForm, $fromDatabase)` to verify.It's either `true` or `false`. – Qirel Feb 03 '16 at 12:18
  • encrypt the input password and compare it with db. – Rogin Thomas Feb 03 '16 at 12:19
  • @RoginThomas That won't work with `password_hash()`.. It would work for sha1/md5 hashes, but those you really should avoid. – Qirel Feb 03 '16 at 12:20
  • Use `password_hash()` in the registration form, and store the result in the database. In the login form you fetch the stored hash from the database and check the user entered password with `password_verify()`. – martinstoeckli Feb 03 '16 at 12:24

3 Answers3

2

you have to put the Hash in Database

Step one : create and store the hash in database

$hash = password_hash($pass1, PASSWORD_BCRYPT, array("cost" => 16));

Step two : login

$hash = // hash of user from database by unique id 
$password = // string submit by user from login form

if (password_verify($password, $hash)) {
    if (password_needs_rehash($hash, PASSWORD_BCRYPT, array("cost" => 16))) {
        $hash = password_hash($password, PASSWORD_BCRYPT, array("cost" => 16));
        /* Store new hash in db */
    }
} else {
    /* Invalid */
}

Hope it will be help you

GameTag
  • 379
  • 1
  • 12
0

The way I have done it in the past is in the following steps:

1) User submits their Username/password combination.

2) I see if the Username exists in the database, if it does I pull out that user record from the database, if it doesn't I present a generic error to the user (i.e. wrong username/password combination)

3) I then use the password_verify function with the submitted password against the hashed password connected to the user they are trying to log in as.

4) If its true, they're logged in otherwise I present the same generic error to the user (wrong username/password combination)

Mikey
  • 2,606
  • 1
  • 12
  • 20
0

Basically you have to hash the password user puts in login page and check if the saved hash in database is equal to hashed password that user sends on login.

Amir Hoseinian
  • 2,312
  • 2
  • 24
  • 27