2

I have created a PHP file which includes the following code:

...
...
$password = password_hash($_GET['password'], PASSWORD_ARGON2I, ['memory_cost' => 2048, 'time_cost' => 4, 'threads' => 3]);
...
...

I have tested it on XAMPP server on my personal machine, and it works fine. When I transferred the file to my AWS EC2 server, the password_hash function does not seem to work, I'm using PHP 7.2.5 on the AWS EC2, the XAMPP as well. Additional information: my machine is Windows 10 and the EC2 is RedHat. I have been trying for a whole day to figure this out but no luck. What could be the problem? And how can I solve this?

Abdullah
  • 147
  • 2
  • 12
  • 1
    Saying things like "does not seem to work" does not help. – Mike May 24 '18 at 17:15
  • @Mike well, it does not work actually, I tried to do "echo $password = $_GET['password'];' and it works just fine, so the problem must be in the password_hash function, right? – Abdullah May 24 '18 at 17:21
  • Is PHP compiled from source? If yes there must be compiled with `--with-password-argon2` also there must be installed packages `argon2 libargon2-0` – Pyton May 24 '18 at 17:21
  • Wait, you're sending passwords with GET? That's a terrible idea. See my answer here: https://stackoverflow.com/questions/6833914/how-to-prevent-the-confirm-form-resubmission-dialog/6834275#6834275. – Mike May 24 '18 at 17:35
  • @Pyton Actually on Ubuntu Argon2 is built in to PHP. In fact, installing the `argon2` package created conflicts with PHP for some reason and I had to remove it to make it work. – Mike May 24 '18 at 17:37
  • @Abdullah What is the output of `var_dump($password);` – Mike May 24 '18 at 17:40
  • @Pyton I have installed php using amazon-linux-extras package, and I have just installed libargon2, do I have to remove the php and reinstall it again with --with-password-argon2? – Abdullah May 24 '18 at 17:47
  • @Mike thank you Mike for referencing your helpful answer. I also tried var_dump and it returns NULL. – Abdullah May 24 '18 at 17:48
  • Remember you can always look at `phpinfo()` or `php -i` to check if extension modules are really linked in. Else check your VMs php.ini or .user.ini etc. – mario May 24 '18 at 18:21
  • @mario That is a good tip, I tried php -i and argon2 was not listed with the hashing engines. UPDATE: I tried the same thing on my local machine, argon2 was not listed with the hashing engines as well, yet, it works well on my local machine :/ – Abdullah May 24 '18 at 18:29
  • Then see `print_r(get_defined_constants());`. Else check out php.ini and associated inclues / edit if feasible / reboot webserver+fastcgi handler. Otherwise summon Amazon support. – mario May 24 '18 at 18:37
  • From http://php.net/manual/en/configure.about.php there is no `--with-password-argon2` option. The [installation page for `password_hash()`](http://php.net/manual/en/password.installation.php) indicates that these functions are core PHP and there are [no dependencies on external libraries](http://php.net/manual/en/password.requirements.php) and [nothing to configure at runtime](http://php.net/manual/en/password.configuration.php). That's why there will be nothing argon2-related (or even bcrypt/blowfish) listed in `phpinfo()`. If you do figure this out, feel free to answer your own question. – Mike May 24 '18 at 19:54
  • I suspect that your issue is related to the CPU thread count of the machine in which the request is processed. – Gnanakeethan Balasubramaniam Jan 28 '20 at 01:27

0 Answers0