Closed discern closed 10 years ago
What version of php are you running local and what version on the remote?
-Ben Edmunds
On Apr 2, 2014, at 10:42 AM, Discern notifications@github.com wrote:
It works fine on my local machine, but on the remote dev server, the password changes to 0 when using bcrypt. Changing the config to use SHA1 works. Password column is varchar 255. Any idea what might be causing this?
Reply to this email directly or view it on GitHubhttps://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/566 .
Local is 5.3.28, Remote is 5.3.5.
Compare phpinfo() on each and see if maybe OpenSSL is compiled on local but not remote.
-Ben Edmunds
On Apr 2, 2014, at 1:30 PM, Discern notifications@github.com wrote:
Local is 5.3.28, Remote is 5.3.5.
Reply to this email directly or view it on GitHubhttps://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/566#issuecomment-39379544 .
OpenSSL 0.9.8b on remote, 0.9.8y on local.
Weird.
Add a var_dump to the bcrypted value in ion_auth_models.php hash_password() method.
-Ben Edmunds
On Apr 3, 2014, at 6:59 AM, Discern notifications@github.com wrote:
OpenSSL 0.9.8b on remote, 0.9.8y on local.
Reply to this email directly or view it on GitHubhttps://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/566#issuecomment-39454001 .
Hi benedmunds,
I have similar issue please help.
Thank you.
Follow the same steps outlined above and let me know
my var_dump output is :
object(Bcrypt)#21 (2) { ["rounds":"Bcrypt":private]=> int(8) ["randomState":"Bcrypt":private]=> NULL }
It looks like BCrypt couldn't find a sufficient source of random.
Make sure you have OpenSSL installed on your server and compiled in PHP.
-Ben Edmunds
On May 1, 2014, at 12:13 AM, jaysheth notifications@github.com wrote:
my var_dump output is :
object(Bcrypt)#21https://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/21(2) { ["rounds":"Bcrypt":private]=> int(8) ["randomState":"Bcrypt":private]=> NULL }
— Reply to this email directly or view it on GitHubhttps://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/566#issuecomment-41886612 .
I will add to this thread. I am having the same issue. Whats weird is I have an older version of ion_auth and the bcrypt works fine, but on the newer version it does not. Both on the same server. I will keep trouble shooting this to see if I can track down what the difference is.
Made some progress on this. The commit 8dbfd489 changed the prefix for hashing from '$2a$' to '$2y$'. In my code reverting the prefix back fixes the password set to 0 issue. I am looking into the prefix and what they mean but Ben you might be able to shed some light on why it was changed in to the new prefix.
Okay, looks like it is a php version issue. From the documentation on php crypt.
"Versions of PHP before 5.3.7 only support "$2a$" as the salt prefix:" http://docs.php.net/manual/en/function.crypt.php
If you are running a version before 5.3.7 then you will need to change the value in the 'getSalt' function inside the Bcrypt.php file in the libraries folder. You just have to change the 'y' to an 'a' on the third character of the string. My previous comment had the commit sha for the change if you are unsure what I am talking about.
@benedmunds I assume the change to '$2y$' was to address the security vulnerability as stated in the document? In that case I am not sure it should be changed out. I wonder if it would be worth it to try and parse the version of PHP in the Bcrypt file and use the appropriate prefix?
Or maybe move the salt prefix to the config file with a comment to change it if running on pre 5.3.7?
Yea that makes sense. Can you send a PR moving this to the config?
-Ben Edmunds
On May 25, 2014, at 4:07 PM, sidewaysgravity notifications@github.com wrote:
Or maybe move the salt prefix to the config file with a comment to change it if running on pre 5.3.7?
— Reply to this email directly or view it on GitHub.
Sure. Just wanted to see your thoughts before doing it.
Awesome, thanks
-Ben Edmunds
On May 25, 2014, at 5:05 PM, sidewaysgravity notifications@github.com wrote:
Sure. Just wanted to see your thoughts before doing it.
— Reply to this email directly or view it on GitHub.
@benedmunds I believe this issue can be closed now.
Thanks
It works fine on my local machine, but on the remote dev server, the password changes to 0 when using bcrypt. Changing the config to use SHA1 works. Password column is varchar 255. Any idea what might be causing this?