Troubles with logging in with a newly created user

Question

I created a CRUD that allows me to create users, societies and schools in a back office.

However, for an unknown reason, I can't log in with a created user with the password I gave him.

Here is my controller (the part where the user is created)

/**
 * Creates a new User entity.
 *
 * @Route("/new", name="user_new")
 * @Method({"GET", "POST"})
 */
public function newAction(Request $request)
{
    $user = new User();
    $form = $this->createForm('UserBundle\Form\UserType', $user);
    $form->handleRequest($request);

    if ($form->isSubmitted() && $form->isValid()) {
        $em = $this->getDoctrine()->getManager();


        $password = $this->get('security.password_encoder')->encodePassword($user, $user->getPassword());

        $user->setPassword($password);
        $em->persist($user);
        $em->flush();

        return $this->redirectToRoute('user_show', array('id' => $user->getId()));
    }

    return $this->render('user/new.html.twig', array(
        'user' => $user,
        'form' => $form->createView(),
    ));
}

After registering a new user, when I check it in the fos_user table, I can see that the password has been encrypted. However, if I try to login with the password I used, I simply get "bad credential" from my login form.

I can't figure out why. Tell me if you need to see another file, I'll update my question

Any idea ?

Thank you in advance

Possible duplicate of [Symfony2 $user->setPassword() updates password as plain text \[DataFixtures + FOSUserBundle\]](http://stackoverflow.com/questions/9183368/symfony2-user-setpassword-updates-password-as-plain-text-datafixtures-fos) — CountZero, Aug 02 '16 at 22:03
I don't want to populate my database, I want my admin to be able to create users with a simple register form... I tried the example in the cookbook but it still fails;. — Jaeger, Aug 03 '16 at 12:23
Never mind, I found out that when I create a user, everything is fine excepted that the user account is disabled. I just had to add $user->setEnabled(true), and everything workrd fine! — Jaeger, Aug 03 '16 at 21:15
if salt is empty in your database, then your site is vulnerable to bruteforce by encrypted vocabulary, so it's better to use UserManager and setPlainPassword. — CountZero, Aug 03 '16 at 21:20
i use Bcrypt to encode, I checked when I created these users and the salt column gets filled each time, so no problem there :) — Jaeger, Aug 03 '16 at 21:26

score 2 · Answer 1 · answered Aug 03 '16 at 21:17

The correct way to create user and set password in FOSUserBundle is the following:

$userManager = $this->container->get('fos_user.user_manager');

$userAdmin = $userManager->createUser();

$userAdmin->setUsername('System');
$userAdmin->setEmail('system@example.com');
$userAdmin->setPlainPassword('test');
$userAdmin->setEnabled(true);

$userManager->updateUser($userAdmin, true);

Password is kept encrypted in database. And to make it harder to bruteforce, database contains an additional field, named salt. You don't store it in your code, that's why it's impossible later to check password. But actually, you don't have to encrypt password and store it in database. User model contains a special method for it, setPlainPassword, which is intended to encrypt password populate both fields salt and password in database with correct values.

Troubles with logging in with a newly created user

1 Answers1