问题描述
我在 CakePHP 中实现 Blowfish 哈希时遇到问题.我以前做过很多次,但这次发生了一些非常奇怪的事情.
I'm having trouble implementing Blowfish Hashing in CakePHP. I've done it many times before but something really strange is happening this time.
当我在我的模型中这样做时:
When I do this in my Model:
<?php
App::uses('BlowfishPasswordHasher', 'Controller/Component/Auth');
class Person extends AppModel {
public $hasAndBelongsToMany = 'Client';
public $belongsTo = 'Role';
public function beforeSave($options = array()) {
if (!$this->id) {
$passwordHasher = new BlowfishPasswordHasher();
debug($passwordHasher->hash($this->data[$this->alias]['password']));
debug($passwordHasher->hash($this->data[$this->alias]['password']));
debug($passwordHasher->hash($this->data[$this->alias]['password']));
debug($passwordHasher->hash($this->data[$this->alias]['password']));
debug($passwordHasher->hash($this->data[$this->alias]['password']));
debug($passwordHasher->hash($this->data[$this->alias]['password']));
$this->data[$this->alias]['password'] = $passwordHasher->hash($this->data[$this->alias]['password']);
}
return true;
}
}
它输出 6 个不同的密码:
It outputs 6 different passwords:
/app/Model/Person.php (line 9)
'$2a$10$Ow67P5proa7LqBwlXCLFQOc/2WyfvSVNtBLNA5PMb2wxWuoK0mrvq'
/app/Model/Person.php (line 10)
'$2a$10$ZI5xv9SmLafBZOaikaIWY.jqyX68mS9RqvF4WbaxEuIj67ddKGguG'
/app/Model/Person.php (line 11)
'$2a$10$.5gRV3aQ8M/gDHVsSRmRpur8ugXjEidxPwTyuv5NVDUu3tHbCdmoC'
/app/Model/Person.php (line 12)
'$2a$10$58zHo0qAZSLa/KqTFvs6uOxjT0Ua1HlnGmQE5xpKf09in7Di9gCXa'
/app/Model/Person.php (line 13)
'$2a$10$MbHTtqgaCTfbK8JVO5Ad6.JKR3Zvipyv3yeid7Zb5MGx38.fufUCG'
/app/Model/Person.php (line 14)
'$2a$10$ya3gqRwR2osjAsS0jpuDcu/JNkKrvzZpy/Vsk4nBNY213JrwylDUa'
这怎么可能?我可能做错了什么?
How is that even possible? What could I possibly be doing wrong?
为了参考,我的组件实现看起来像这样,但是当我使用脚手架时也会出现问题:
For reference's sake, my components implementation looks like this but the issue occurs when I'm using scaffold as well:
<?php
class PeopleController extends AppController {
public $components = array(
'Auth' => array(
'loginAction' => array(
'controller' => 'people',
'action' => 'login'
),
'authenticate' => array(
'Form' => array(
'fields' => array('username' => 'email'),
'userModel' => 'Person',
'passwordHasher' => 'Blowfish'
)
)
)
);
澄清一下,我在这里尝试使用的是基本的登录功能.我的登录操作如下所示:
Just to clarify, what I'm trying to get working here is the basic login functionality. My login action looks like this:
public function login() {
if ($this->request->is('post')) {
if ($this->Auth->login()) {
return $this->redirect($this->Auth->redirectUrl());
}
else {
$this->Session->setFlash(__('Username or password is incorrect'), 'default', array(), 'auth');
}
}
}
我的观点是这样的:
<h2>Login</h2>
<?php echo $this->Session->flash('auth'); ?>
<?php echo $this->Form->create('Person', array('action' => 'login')); ?>
<?php echo $this->Form->input('email'); ?>
<?php echo $this->Form->input('password'); ?>
<?php echo $this->Form->end('Submit'); ?>
推荐答案
这是预期的行为.Blowfish 散列包含随机生成的盐、结果散列、用于到达该结果散列的轮数以及用于散列的方法.让我们分解你的第一个例子:方法:$2a回合:10美元哈希+盐:$Ow67P5proa7LqBwlXCLFQOc/2WyfvSVNtBLNA5PMb2wxWuoK0mrvq
This is expected behaviour. Blowfish hashes contain the randomly generated salt, the resulting hash, the number of rounds used to arrive at that resulting hash, and the method used for hashing. Let's break down your first example:Method: $2aRounds: $10Hash+Salt: $Ow67P5proa7LqBwlXCLFQOc/2WyfvSVNtBLNA5PMb2wxWuoK0mrvq
认证时,哈希字符串被 $ 分隔符分割,并从最终令牌中提取盐.它通常是从末尾开始的固定长度,具体取决于所使用的算法(在这种情况下,它可能是 /2WyfvSVNtBLNA5PMb2wxWuoK0mrvq).然后进行身份验证的步骤是:
When authenticating, the hash string is split by the $ delimiter, and grabs the salt out of the final token. It's usually a fixed length from the end depending on the algorithm used(in this case it's probably /2WyfvSVNtBLNA5PMb2wxWuoK0mrvq). The steps to authenticate are then:
- 获取明文
- 对于 2^$ 轮:
- 散列明文或上一轮的结果.
- 将 $Salt 添加到结果中
然后散列是 $Method$Rounds$Result$Salt.根据数据库中记录的内容检查结果 - 如果输出匹配,则提供的明文是正确的.
The hash is then $Method$Rounds$Result$Salt. Check the result against what is recorded in the database - if the output matches, the supplied plaintext is correct.
这篇关于CakePHP 中的 Blowfish 每次都生成不同的密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!