0

我有一个使用 MD5 散列方案的密码的站点。作为支持这个遗留系统的一种方式,我现在有这个答案来手动覆盖登录系统。但这并不理想,因为 MD5 几乎众所周知在加密方面很糟糕。因此,为了安全起见,将用户迁移到更安全的 CakePHP 身份验证系统而不会给他们带来不必要的痛苦的最佳方式是什么?

4

1 回答 1

0

感谢这个答案(尽管稍作修改)。基本上,如果当前系统与它不匹配,它会在幕后更新用户以使用新系统。

/**
 *  Login method
 */
public function login() {
    $this->layout = 'homepage';
    // If the user is already logged in, redirect to their user page
    if($this->Auth->user() != null) {
        $this->redirect();
    } else {
        // If this is being POSTed, check for login information
        if($this->request->is('post')) {
            if($this->Auth->login($this->loginHelper($this->request->data))) {
                // Redirect to origin path, ideally

            } else {
                $this->Session->setFlash('Invalid username or password, try again');
            }
        }           
    }
}

/**
 *  Update password method
 *  @param array The user's data array
 *  @param Returns either a user object if the user is valid or null otherwise
 */
private function loginHelper($data) {
    $username = $this->data['User']['username'];
    $plainText = $this->data['User']['password'];

    $user = current($this->User->findByUsername($username));

    $salted = Security::hash($plainText, null, true);

    if ($salted === $user['password']) {
        return $user; // user exists, password is correct
    }

    $md5ed = Security::hash($plainText, 'md5', null);

    if ($md5ed === $user['password']) {
                $this->User->id = $user['id'];
        $this->User->saveField('password', $plainText);

        return $user; // user exists, password now updated to blowfish
    }

    return null; // user's password does not exist.
}
于 2013-07-04T20:18:52.540 回答