Yii PBKDF2 String Hashing/Validation Component
Copy the Auth.php
file into your protected/components
folder of your project.
In config/main.php
add the following in the components
array:
'auth'=>array('class'=>'Auth'),
In protected/components/UserIdentity.php
you will need to modify your authenticate
method
public function authenticate()
{
$record=User::model()->findByAttributes(array('username'=>$this->username));
if($record===null)
$this->errorCode=self::ERROR_USERNAME_INVALID;
else if(!Yii::app()->auth->validate_hash($this->password, $record->salt, $record->password))
$this->errorCode=self::ERROR_PASSWORD_INVALID;
else
$this->_id = $record->id;
$this->errorCode=self::ERROR_NONE;
return !$this->errorCode;
}
You will also need to override the getId
method
public function getId()
{
return $this->_id;
}
And don't forget to declare $_id
at the top of the class
private $_id;
Refer to the Yii documentation for more on authentication
Always hash new passwords using the generate_hash
method
$auth = Yii::app()->auth->generate_hash('password');
This will return an object containing your new salt
and password hash
strings.
Store these values in your user table in your database for the user in question, for
example when creating a new user or updating his password. The salt must be updated
with the newly-generated salt each time.
Validate a password using the validate_hash
method
$valid = Yii::app()->auth->validate_hash($raw, $salt, $hash);
Where $raw
is the string authenticating against, $salt
is the user's salt from
your table, and $hash
is the user's hashed password from your table.
You can override the default properties of the component in config/main.php
as such
'auth'=>array(
'class'=>'Auth',
'algorithm'=>'sha256',
'iterations'=>2048,
'salt_bytes'=>42,
'hash_bytes'=>42,
),
algorithm - the hashing algorithm you want to use
iterations - choose at least 1000
salt_bytes - how large of a salt to generate. You should never alter this value once you have begun generating password/salt combinations. A value of 24 produces a string of 32 characters.
hash_bytes - how large of a hash to generate. You should never alter this value once you have begun generating password/salt combinations. A value of 24 produces a string of 32 characters.