我有一个使用 MD5 散列方案的密码的站点。作为支持这个遗留系统的一种方式,我现在有这个答案来手动覆盖登录系统。但这并不理想,因为 MD5 几乎众所周知在加密方面很糟糕。因此,为了安全起见,将用户迁移到更安全的 CakePHP 身份验证系统而不会给他们带来不必要的痛苦的最佳方式是什么?
问问题
427 次
1 回答
0
感谢这个答案(尽管稍作修改)。基本上,如果当前系统与它不匹配,它会在幕后更新用户以使用新系统。
/**
* Login method
*/
public function login() {
$this->layout = 'homepage';
// If the user is already logged in, redirect to their user page
if($this->Auth->user() != null) {
$this->redirect();
} else {
// If this is being POSTed, check for login information
if($this->request->is('post')) {
if($this->Auth->login($this->loginHelper($this->request->data))) {
// Redirect to origin path, ideally
} else {
$this->Session->setFlash('Invalid username or password, try again');
}
}
}
}
/**
* Update password method
* @param array The user's data array
* @param Returns either a user object if the user is valid or null otherwise
*/
private function loginHelper($data) {
$username = $this->data['User']['username'];
$plainText = $this->data['User']['password'];
$user = current($this->User->findByUsername($username));
$salted = Security::hash($plainText, null, true);
if ($salted === $user['password']) {
return $user; // user exists, password is correct
}
$md5ed = Security::hash($plainText, 'md5', null);
if ($md5ed === $user['password']) {
$this->User->id = $user['id'];
$this->User->saveField('password', $plainText);
return $user; // user exists, password now updated to blowfish
}
return null; // user's password does not exist.
}
于 2013-07-04T20:18:52.540 回答