Wednesday, February 25, 2015

CakePHP 3 cipherseed removal and password migration - HELP

This is a scenario that is true to me and it is leading me to take the decision to not upgrade to Cake3 at this moment.

I have 2 applications and one has to communicate with another. One application has been fully built with the latest stable version of cake 2 and the new application, that is on legacy code, was going to be using cake 3 so we could benefit of all of the new perks. Unfortunately with the removal of the cipherseed and the cipher functions a password that was generated in cake2 now can't be used in cake3.

Example of password encryption results using CakePHP 2.6 and CakePHP 3

password =  changeme
Salt and Cipherseed where kept the same among both versions.

CakePHP 2.6
HashClass = Simple
HashType = SHA256
Encryption result = cb15d8050a3da1c302e62d27b57e128fb4aef8207b39cd17d44afb3838390c43

CakePHP 3
HashClass = Weak
HashType = SHA256
Encryption result = c88333b093105e07acff5b19be6fbaf51e6482b1

I had asked this on twitter before and the response that I got was that there would be backwards compatibility if you were using Simple password hasher in CakePHP 2.6 and upgraded it to CakePHP 3 so I wouldn't need to change all my users passwords through the database or force them to reset their password.

Based on the result above I don't see how I can use the same password system from Cake 2 to Cake 3 and it also doesn't seem like it is using the hashType set on config.

Is there anything I'm missing here. Can anyone help?

I need to decide really quick if I will move forth with Cake 3 or keep development with Cake 2.

Thanks in advance.

--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP

---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)