Symfony2 login with md5 password

Question

Hello I'm trying to do a login with Symfony2 and database table with passwords in md5 with no salt field. I have a lot of users and I can't change it.

The login seems to work fine when I send form with invalid email, it returns the message right "Bad credentials". But when I send form with good email it says "The presented password is invalid."

What's wrong?

I config the firewall:

security:
    encoders:
        Usuari\BackendBundle\Entity\Usuari:
            algorithm: md5

Implement UserInterface in Usuari entity, with no salt

    public function getUsername()
    {
        return $this->email;
    }

    public function getSalt() { 
        return '';
    }

    public function getPassword()
    {
        return $this->clau;
    }

    public function getRoles()
    {
        return array('ROLE_ADMIN');
    }

    public function eraseCredentials() { }

    public function equals(UserInterface $user)
    {
        return $this->email === $user->getUsername();
    }

And security controlles at /login route:

namespace Mes\BackendBundle\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\Security\Core\SecurityContext;


    class SecurityController extends Controller
    {
        public function loginAction()
        {
            $request = $this->getRequest();
            $session = $request->getSession();

            // get the login error if there is one
            if ($request->attributes->has(SecurityContext::AUTHENTICATION_ERROR)) {
                $error = $request->attributes->get(SecurityContext::AUTHENTICATION_ERROR);
            } else {
                $error = $session->get(SecurityContext::AUTHENTICATION_ERROR);
            }

            return $this->render('MeBackendBundle:Security:login.html.twig', array(
                // last username entered by the user
                'last_username' => $session->get(SecurityContext::LAST_USERNAME),
                'error'         => $error,
            ));
        }
    }
    ?>

Don't say you can't change it. We migrated a site from Drupal to our Symfony2 system, with over 100K users, and we chose to force password update for users after first login on the new system, so we could get rid of MD5 as soon as possible. MD5 is bad. — Teo.sk, Sep 26 '12 at 19:51
True. BTW, check out my [blowfish password encoder bundle](https://github.com/elnur/ElnurBlowfishPasswordEncoderBundle). — Elnur Abdurrakhimov, Sep 26 '12 at 20:12
Because I don't have real password of users. I only have md5 hash. — David, Sep 26 '12 at 22:25

score 3 · Answer 1 · answered Sep 26 '12 at 19:37

3

Change algorithm: sha1 to algorithm: md5.

answered Sep 26 '12 at 19:37

Elnur Abdurrakhimov

44,533
10
148
133

Sorry my mind betrayed me. I correct the question, with md5 does not work – David Sep 26 '12 at 22:29
Try to `md5()` the password your trying to log in with and check if it equals to the one in the database. – Elnur Abdurrakhimov Sep 27 '12 at 06:56

score 2 · Answer 2 · edited May 23 '17 at 11:53

2

I was in a similar situation. What I did is that I created separate encoders so that legacy users can log in using the old algorithm and new users get more secure passwords using symfony's default encoder.

I posted a very extensive answer here

edited May 23 '17 at 11:53

Community

1
1

answered Sep 26 '12 at 20:20

Thomas K

6,076
5
39
56

score 1 · Accepted Answer · answered Oct 02 '12 at 23:08

Thomas, this solutions seems works fine, but it is more complex.

Finally I decide regenerate all passwords from database with other encode function and salt field. I will send an email to the all users with a link that allows these change his password

Symfony2 login with md5 password

3 Answers3