I have MD5 decript password to my DB. When i register new user, the MD5 change my password to md5 + salt to DB.
All its ok, when i login, password is correct… but…
when i click “update user” and i don’t change passsword, only save this edit user, my password change MD5 password to MD5 + MD5 and when i login to user, i can’t, password is wrong.
Example:
make new user : password - pass1
in DB save : password - a722c63db8ec8625af6cf71cb8c2d939
public function beforeSave() {
$pass = md5($this->password);
$this->password = $pass;
return true;
}
USER IDENTITY:
public function authenticate() {
$user = user::model()->findByAttributes(array('name' => $this->username));
// echo md5($this->password); echo '<br>';
// echo $user->password; exit;
if ($user === null) { // No user was found!
$this->errorCode = self::ERROR_USERNAME_INVALID;
}
// $user->Password refers to the "password" column name from the database
else if ((md5($this->password) . Yii::app()->params["salt"]) !== $user->password) {
$this->errorCode = self::ERROR_PASSWORD_INVALID;
} else {
// User/pass match
$this->_id = $user->id;
$this->errorCode = self::ERROR_NONE;
}
return !$this->errorCode;
}
public function getId() {
return $this->_id;
}
USER CREATE:
public function actionCreate()
{
$model=new User;
// Uncomment the following line if AJAX validation is needed
// $this->performAjaxValidation($model);
if(isset($_POST['User']))
{
$model->attributes=$_POST['User'];
if($model->save())
$this->redirect(array('index'));
}
$this->render('create',array(
'model'=>$model,
));
}
USER UPDATE:
public function actionUpdate($id)
{
$model=$this->loadModel($id);
// Uncomment the following line if AJAX validation is needed
// $this->performAjaxValidation($model);
if(isset($_POST['User']))
{
$model->attributes=$_POST['User'];
if($model->save())
$this->redirect(array('index'));
}
$this->render('update',array(
'model'=>$model,
));
}
I think the problem is, that you don’t proof if a new user password is set or it is empty.
possible sequence:
You fetch the user model from the database. There is the password saved as MD5. If you update your user and no password is set, perhaps it takes the saved MD5 password as new password.
So if you proof if the user entered a new password or not the problem should be solved
Where are you hashing the password - beforeSave? You need to check the scenario (register) and only hash it on insert/create/register or when the user updates their password.