Encoding passwords using sha512 doesn't work correctly in Symfony2

679 views Asked by At

I am using sha512 as an encoder for passwords. Although the passwords are not recorded in the database using such encoder. For example, if the password is "123" it will be hashed (using sha512) as :

3c9909afec25354d551dae21590bb26e38d53f2173b8d3dc3eee4c047e7ab1c1eb8b85103e3be7ba613b31bb5c9c36214dc9f14a42fd7a2fdb84856bca5c44c2

However, actually that password is stored in the database that I have as following: iOgyhdY1gJJPj7y7mMN8obgqMQZH2fLDuQuXfqZesC1Iqxo6iHxRuAA9m8E1ZUz76OIiPGTann7uJ3BNhPDoEA==

This is the code of the file security.yml that I have:

security:
firewalls:
    secured_area:

        pattern:    ^/
        anonymous: ~
        form_login:
            login_path:  /login
            check_path:  /login/check
            default_target_path: /home
            always_use_default_target_path: true
        logout:
            path:   /home/logout
            target: /login
        remember_me:
            key:      %secret%
            lifetime: 604800 
            path:     /
            domain:   ~


access_control:
    - { path: ^(?!/login), role: IS_AUTHENTICATED_FULLY }

providers:
    main:
        entity: { class: Ikproj\LoginBundle\Entity\User, property: username }

encoders:
    Ikproj\LoginBundle\Entity\User: sha512

And this is the code of the file User.php:

   <?php

namespace Ikproj\LoginBundle\Entity;
use Symfony\Component\Security\Core\User\UserInterface;

use Doctrine\ORM\Mapping as ORM;

/**
 * User
 *
 * @ORM\Table(name="user")
 * @ORM\Entity(repositoryClass="Ikproj\LoginBundle\Entity\UserRepository")
 */
class User implements UserInterface
{  
    /**
     * @var integer
     *
     * @ORM\Column(name="id_user", type="integer")
     * @ORM\Id
     * @ORM\GeneratedValue(strategy="AUTO")
     */
    private $id;

    /**
     * @var string
     *
     * @ORM\Column(name="name", type="string", length=255)
     */
    private $name;

    /**
     * @var string
     *
     * @ORM\Column(name="username", type="string", length=255)
     */
    private $username;

    /**
     * @var string
     *
     * @ORM\Column(name="pseudo", type="string", length=255)
     */
    private $pseudo;

    /**
     * @var string
     *
     * @ORM\Column(name="password", type="string", length=255)
     */
    private $password;

    /**
     * @var string
     *
     * @ORM\Column(name="sexeuser", type="string", length=255)
     */
    private $sexeuser;

    /**
     * @var \Date
     *
     * @ORM\Column(name="dateanniv", type="date")
     */
    private $dateanniv;

    /**
     * Get id
     *
     * @return integer 
     */
    public function getId()
    {
        return $this->id;
    }

    /**
     * Set name
     *
     * @param string $name
     * @return User
     */
    public function setName($name)
    {
        $this->name = $name;

        return $this;
    }

    /**
     * Get name
     *
     * @return string 
     */
    public function getName()
    {
        return $this->name;
    }

    /**
     * Set username
     *
     * @param string $username
     * @return User
     */
    public function setUsername($username)
    {
        $this->username = $username;

        return $this;
    }

    /**
     * Get username
     *
     * @return string 
     */
    public function getUsername()
    {
        return $this->username;
    }

    /**
     * Set pseudo
     *
     * @param string $pseudo
     * @return User
     */
    public function setPseudo($pseudo)
    {
        $this->pseudo = $pseudo;

        return $this;
    }

    /**
     * Get pseudo
     *
     * @return string 
     */
    public function getPseudo()
    {
        return $this->pseudo;
    }

    /**
     * Set passWD
     *
     * @param string $passWD
     * @return User
     */
    public function setPassword($password)
    {
        $this->password = $password;

        return $this;
    }

    /**
     * Get passWD
     *
     * @return string 
     */
    public function getPassword()
    {
        return $this->password;
    }

    /**
     * Set sexeuser
     *
     * @param string $sexeuser
     * @return User
     */
    public function setSexeuser($sexeuser)
    {
        $this->sexeuser = $sexeuser;

        return $this;
    }

    /**
     * Get sexeuser
     *
     * @return string 
     */
    public function getSexeuser()
    {
        return $this->sexeuser;
    }

    /**
     * Set dateanniv
     *
     * @param \DateTime $dateanniv
     * @return User
     */
    public function setDateanniv($dateanniv)
    {
        $this->dateanniv = $dateanniv;

        return $this;
    }

    /**
     * Get dateanniv
     *
     * @return \DateTime 
     */
    public function getDateanniv()
    {
        return $this->dateanniv;
    }

    public function getRoles()
    {
        return array('ROLE_ADMIN');
    }

    public function getSalt()
    {
        return null;
    }

    public function eraseCredentials()
    {

    }

    public function equals(UserInterface $user)
    {
        return $user->getUsername() == $this->getUsername();
    }   
}

When I log in using the password "123", it works without any problem. I wonder how it accepts the password although it is not encoded in the correct form!!. So my questions are:

  1. why is the password "123" stored in database in such form?
  2. what is the encoding method used to obtain the following result: iOgyhdY1gJJPj7y7mMN8obgqMQZH2fLDuQuXfqZesC1Iqxo6iHxRuAA9m8E1ZUz76OIiPGTann7uJ3BNhPDoEA==
  3. What is wrong in my code?
2

There are 2 answers

6
Gerry On BEST ANSWER

By default, when selecting an algorithm, the default options are to iterate 5000 times using this algorithm, and then do a base64 encode on the result. This should explain the resulting string.

As to what is wrong with your code, I'm not sure what your actual problem is?

0
LordFailling On

Try to iterate only once and disable the base64_encoding

try : security: encoders: Symfony\Component\Security\Core\User\User: algorithm: sha512 encode_as_base64: false iterations: 1