yii-user salt for every user

#1 taskas

Newbie

Group: Members
Posts: 8
Joined: 28-October 10

Posted 22 July 2011 - 03:00 AM

Hello,
this is my first post, so dont be very angry if I'll make some stupid mistakes

I recentry installer user extension (+rights, but thats not the topic), and everything looked great, except security - password is only hashed using md5 or sha1, by default. I wanted salts for every user password.
So thats what I did: (maybe this will be helpful for someone)
1. I created additional column in table "tbl_users", called "salt".
2. edited my config.php like this:

'params'=>array(
...
'hash_salt_length'	=> '7',
'hash_site_key'	=>	'dlfkgknbcvjkbsdkjflsdkhfdf34534jkHL$@#K$^kb',
...

3. edited UserModule.php file:

	public static function encrypting($string="",$salt="") {

		$sl = Yii::app()->getParams()->hash_salt_length;
		$site_key = Yii::app()->getParams()->hash_site_key;
		//hashing plain password with added salt
		return hash_hmac('sha256', $string . $salt, $site_key);

		/*
		$hash = Yii::app()->getModule('user')->hash;
		if ($hash=="md5")
			return md5($string);
		if ($hash=="sha1")
			return sha1($string);
		else
			return hash($hash,$string);
		 * 
		 */
	}

	/**
	 * Generates random string, length from config - hash_salt_length
	 * @return <String>
	 */
	public static function randomKey(){
		$salt = "";
		$index = 0;
		$sl = Yii::app()->getParams()->hash_salt_length;

		$letters = array('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','R','S','T','U','V','Z','0','1','2','3','4','5','6','7','8','9');
		for($i=0;$i<$sl;$i++){
			$index = mt_rand(0, count($letters)-1);
			$salt.= ($index % 2)==0 ? $letters[$index] : strtolower($letters[$index]);

		}
		return $salt;
	}

4. Searched with my IDE (i like netbeans

) for string "encrypting(", and changed every line, which had not activation key, but password:

that means, files:
AdminController.php, (Around 80 line and 116 line):

$model->salt=UserModule::randomKey();
$model->password=Yii::app()->controller->module->encrypting($model->password,  $model->salt);

ProfileController.php (~78 line):

$new_password->salt = UserModule::randomKey();
						$new_password->password = UserModule::encrypting($model->password, $salt);

RecoveryController.php (~24 line):

$find->salt = UserModule::randomKey();
$find->password = Yii::app()->controller->module->encrypting($form2->password, $find->salt);

RegistrationController.php (~58 line):

$model->salt = UserModule::randomKey();
						$model->password=UserModule::encrypting($model->password,$model->salt);
						$model->verifyPassword=UserModule::encrypting($model->verifyPassword, $model->salt);

UserIdentity.php (~35 line):

else if(Yii::app()->getModule('user')->encrypting($this->password, $user->salt)!==$user->password)

5. Edit models/User.php "scopes" and "defaultScopes" functions, to add "salt" to selective columns.

I haven't tested every function yet (such as recovery), but at least i can login

And by the way, dont forget to edit users in database. To get what info should be used, put for example to RegistrationController such lines:

echo "salt: ".$salt;
echo "<br />";
echo Yii::app()->controller->module->encrypting("admin",$salt);

Waiting for better solutions

#2 Queryton

Junior Member

Group: Members
Posts: 70
Joined: 07-September 11

Posted 05 March 2012 - 02:16 AM

Here's a method for Bcrypt which is better for password & activation key storage:

First, setup the Phpass wrapper extension. There are two wrappers, but I found this one http://www.yiiframew...tension/phpass/ to be easier to use.

Just set that up via the provided documentation.

Second, install Yii-User extension!

Third, now we can edit the Yii-User files.

In components/UserIdentity.php on line 35 change:

else if(Yii::app()->getModule('user')->encrypting($this->password)!==$user->password)

else if(!Yii::app()->hasher->checkPassword($this->password, $user->password))

In Controllers/ActivationController.php on line 19 change:

$find->activkey = UserModule::encrypting(microtime());

$find->activkey = Yii::app()->hasher->hashPassword(microtime());

In Controllers/AdminController.php on line 74 change:

$model->activkey=Yii::app()->controller->module->encrypting(microtime().$model->password);

$model->activkey=Yii::app()->hasher->hashPassword(microtime().$model->password);

Now go to line 80 and change:

$model->password=Yii::app()->controller->module->encrypting($model->password);

$model->password=Yii::app()->hasher->hashPassword($model->password);

Now go to line 111 & 112 and change:

$model->password=Yii::app()->controller->module->encrypting($model->password);
$model->activkey=Yii::app()->controller->module->encrypting(microtime().$model->password);

$model->password=Yii::app()->hasher->hashPassword($model->password);
$model->activkey=Yii::app()->hasher->hashPassword(microtime().$model->password);

In Controllers/ProfileController.php on line 75 & 82 change:

if($model->validate()) {
    $new_password = User::model()->notsafe()->findbyPk(Yii::app()->user->id);
    $new_password->password = UserModule::encrypting($model->password);
    $new_password->activkey=UserModule::encrypting(microtime().$model->password);
    $new_password->save();
    Yii::app()->user->setFlash('profileMessage',UserModule::t("New password is saved."));
    $this->redirect(array("profile"));
                        }

//validate user input
if($model->validate()) {
//generate new hash per new password
$new_hash = Yii::app()->hasher->hashPassword($model->password);
//generate new activation code
$new_actikey = Yii::app()->hasher->hashPassword(microtime().$model->password);
//add into database (Hash)
$command = Yii::app()->db->createCommand();
$command->update('tbl_users', array(
'password'=>$new_hash
), 'id=:id', array(':id'=>Yii::app()->user->id));
//add into database (Activation Key)
$command->update('tbl_users', array(
'activkey'=>$new_actikey
), 'id=:id', array(':id'=>Yii::app()->user->id));
Yii::app()->user->setFlash('profileMessage',UserModule::t("New password is saved."));
$this->redirect(array("profile"));
    }

NOTE: FindbyPk method did not work for me when attempting to save new hash file after password change. Using query builder instead.

In Controllers/RecoveryController.php on line 24 & 25 change:

$find->password = Yii::app()->controller->module->encrypting($form2->password);
$find->activkey=Yii::app()->controller->module->encrypting(microtime().$form2->password);

TO:

$find->password = Yii::app()->hasher->hashPassword($form2->password);
$find->activkey=Yii::app()->hasher->hashPassword(microtime().$form2->password);

In Controllers/RegistrationController.php on line 44 & 47 change:

$soucePassword = $model->password;
$model->activkey=UserModule::encrypting(microtime().$model->password);
$model->password=UserModule::encrypting($model->password);
$model->verifyPassword=UserModule::encrypting($model->verifyPassword);

TO:

if(!empty($model->password) && $model->password==$model->verifyPassword) {
    $soucePassword = $model->password;
    $model->activkey=Yii::app()->hasher->hashPassword(microtime().$model->password);
    //password and verifyPassword
    $model->password=Yii::app()->hasher->hashPassword($model->password);
    $model->verifyPassword=$model->password;
}

That should be it! I have now have a working Yii-User setup that encrypts all my user's passwords and activation keys to Bcrypt.

Note: I haven't tested the recovery, but as you can see above it appears to be only two lines of code that needed to be changed. Someone want to confirm this?

#3 thelfensdrfer

Junior Member

Group: Members
Posts: 37
Joined: 06-March 11
Location:Germany

Posted 17 March 2012 - 07:42 AM

It works. Thank you very much for your detailed description. But the last brace in the last code example must be '}' not '{'.

#4 Queryton

Junior Member

Group: Members
Posts: 70
Joined: 07-September 11

Posted 17 March 2012 - 06:23 PM

demo88, on 17 March 2012 - 07:42 AM, said:

It works. Thank you very much for your detailed description. But the last brace in the last code example must be '}' not '{'.

You're welcome.

#5 jacmoe

Elite Member

Group: Moderators
Posts: 3,710
Joined: 10-October 10
Location:Denmark

Posted 17 March 2012 - 06:34 PM

/* Moved to Tips, Snippets, Tutorials from Extensions */

"Less noise - more signal"

#6 Juhku

Newbie

Group: Members
Posts: 3
Joined: 13-September 11
Location:Finland

Posted 08 October 2012 - 04:41 PM

Queryton, on 05 March 2012 - 02:16 AM, said:

Here's a method for Bcrypt which is better for password & activation key storage...

Thank you! Seems to work well!

In models/UserChangePassword.php verifyOldPassword() I changed this:

if (User::model()->notsafe()->findByPk(Yii::app()->user->id)->password != Yii::app()->getModule('user')->encrypting($this->$attribute))

To this:

if (!Yii::app()->hasher->checkPassword($this->$attribute, User::model()->notsafe()->findByPk(Yii::app()->user->id)->password))

#7 Ne0nx3r0

Newbie

Group: Members
Posts: 8
Joined: 14-December 11

Posted 07 July 2013 - 10:28 PM

Queryton, on 05 March 2012 - 02:16 AM, said:

Here's a method for Bcrypt which is better for password & activation key storage:

One minor issue I had is that for servers that do not allow url-encoded slashes (%2F) the email activation links wont work. As a kludgey sort of fix I just added:
$model->activkey=str_replace("/","_",Yii::app()->hasher->hashPassword(microtime().$model->password));

To the four locations where the activkey is generated. This seems to have fixed the issue.