Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Password hash through Auth
  • Hi guys,
    I'm trying to make use of the Auth to create hashes like this :

    $hash = \Auth::instance()->hash_password(\Str::random()).$user->id;

    Everything goes well, BUT because it creates the hash based on a random string, it could return a hash like this : MI/GUHI39ne+LdjE3gHFaq7kqTw3K6OaQ7thdJAdaWQ=15 (please observe he / character)

    In this case, the link will look like this one :

    http://site.de/kont/resetpassword/MI/GUHI39ne+LdjE3gHFaq7kqTw3K6OaQ7thdJAdaWQ=15

    so, when we will try like in the example to extract the hash by doing $user = substr($hash, 44), will never reach the user, because the actual $hash is : MI (before /).

    Do I miss something or is like that and we have to create another kind of hash ?

    Thanks
  • Hmm... wasn't aware that it could return those characters as well.

    Maybe base64 encode it before adding it to the url? Or simply use Str::random() to generate a long enough random string?
  • Hi,

    I've found this solution on php.net - User contributed note, which seems to do the job.
    Contributor : gutzmer at usa dot net (link)
    <font size="3"><font face="Times New Roman, serif"></font></font>
  • Don't want it to be random because we want to get the user id out of it.
  • If you want to retrieve data from it, you have to crypt it instead of hash it.

    Hashing is a one-way algorithm, Crypting is bidirectional.
  • I know this is an old expired thread, but wanted to pop in with my $0.2. 

    There is an issue with the encrypting. it does send out hashes with / chars. I was scratching my head till I found this thread. A good solution, as found by @mgabrielro is to base64_encode *_decode.

    I use this to reset passwords, and loosely followed the example provided. I use the $hash example:
    // Hash //
    $hash = Auth::instance()->hash_password(Str::random()) . $user->id;

    then i store the $hash in the user's profile fields, and when I send out the verification email, I base64_encode it:
    // Email wrapper function I made | I encode the email hash //
    self::send_reset($user->email, $user->username, base64_encode($hash))

    Then, when I retrieve the email:
    function_retrieve($hash = null) {
        // Check hash isn't null, if it is someone needs redirected //
        is_null($hash) and Response::redirect('/');
        // Unhash the email hash | Now I have something to work with //
        $unhash = base64_decode($hash);
        // Get my user //
        $user = substr($unhash, 44)
        ..... // Continue on with code //
    }

    The extra encoding really isn't a bad idea either, so it's not that much of a hassle, and I personally wouldn't change it. Maybe reflect this in the documentation. 

    Good find and work around @mgabrielro.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion