More Securities Helpers In Yii2

I was reading the Laravel 4 documentation and I saw some security stuffs that would be great in Yii2:

  • An helper to create some secure hash in yii. In Yii 1.x the user extensions have to handle it and we see some pretty bad stuff (unsalted md5/sha1). I think of something like

Hash::generate($password);

that’ll create a bcrypt salted password.


Hash::check($plainPassword, $hashedPassword)

could be verifying the password

  • An helper letting you reset the password. This is something really hard to do well and a lot of extension are doing it the wrong way. This helper could generate the temporary random token and send it by mail to reset the password, and then, check that the token is valid for the given email adress and is not expired when the user changes his credentials.
  1. Already in master: https://github.com/yiisoft/yii/blob/master/framework/utils/CPasswordHelper.php

  2. Will consider.

Thanks for your answer!

For the first i wasn’t finding anything about it in the Yii class reference, but then I saw it’s in yii since 1.1.14 so it hasn’t been stable released yet! I think it’s a great add to the framework!

It certainly is.

Wouldn’t it be better to change this class to an application component or a component class that needs to be instantiated. This way it can check for the crypt() and blowfish stuff when it is instantiated instead of checking it in each method.

Onman +1.

Also it may be useful to have an abstraction or an interface for things related to the password protection.

I don’t know about instantiate the class, true it’s better when you need to perform


checkBlowfish()

but when you don’t it useless to have a non static class for hash calculation. For the Interface, I agree yii should provide a password interface letting people define their own way to store passwords.

It’s a shame this will not be supported out of the box :(

http://lv.php.net/manual/en/ref.password.php

PHP 5 >= 5.5.0