All geek questions in one place

Using MD5 in symfony2 security.yml for legacy users

I have an outdated system that contains md5 hashed passwords. I tested them correctly and they do not use salt.

security.yml

security: encoders: Namespace\MyBundle\Entity\User: algorithm: md5 providers: entityUsers: entity: { class: NamespaceBundle:User, property: username }

In my user entity, I implemented UserInterface and made sure that an empty string was selected for salt .

But when I try to authenticate, I get a bad credentials message.

I tried switching security.yml to plain text and entered a hash, and the system is working fine.

Surely md5 should work?

+6
source share
2 answers

I had exactly the same problem, and I had to dig into the code to find out why.

You do not need to create a custom encoder.

By default, the MessageDigestPasswordEncoder encoder ( Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder ) in Symfony 2.5 — and possibly all releases of Symfony 2 — calculates the MD5 hash of the raw password using / without salt, as expected, MD5 hashes several times (5,000 times, by default, in Symfony 2.5). To make things a little more exciting, the encoder will also encode the base64 hash code by default. Both of these features were causing problems for me.

You can fix the problem by disabling re-hashing and / or disabling base64 encoding in security.yml this way:

 security: encoders: Namespace\Of\Your\User: algorithm: md5 encode_as_base64: false iterations: 0

Hope this saves you some time.

+22
source

It turns out that md5 in symfony2 uses salt by default. Maybe a simpler way, but I just created the md5 password encoder interface user interface that ignores the salt.

Register service

 namespace.project.md5password.encoder: class: Namepspace\MyBundle\Services\CustomMd5PasswordEncoder

Create Encoder Service

 namespace Namespace\MyBundle\Services; use Symfony\Component\Security\Core\Encoder\PasswordEncoderInterface; class CustomMd5PasswordEncoder implements PasswordEncoderInterface { public function __construct() { } public function encodePassword($raw, $salt) { return md5($raw); } public function isPasswordValid($encoded, $raw, $salt) { return md5($raw) == $encoded; } }

Use new service in security.yml

 security: encoders: Namespace\MyBundle\Entity\User: id: namespace.project.md5password.encoder

Hope this helps

+6
source

Source: https://habr.com/ru/post/953619/

More articles:


All Articles