09.
Users Need Passwords (plainPassword)
Keep on Learning!
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
Whoops, an error! Please, try again later.
16 Comments
btw is bcrypt still safe ?
and are there any other possibilities to salt the password ?
Yo Hannes,
Yes, it's the best encrypt algorithm which is suggested by Symfony: http://symfony.com/doc/curr...
And yes, you can use salt to make your encrypted password more robust - just generate salt in User::__construct() and tweak getSalt() method to return it.
Cheers!
victor Thanks for that :) btw awasome tuts Ryan. Totaly worth every penny :) Really like your way of teaching :-) Best instructor for learning Symfony the *funny* and safe way
Hi,
The password was changing every time I update the entity. Even though the password is not included in the form.
Hi Jayson,
Are you coding from scratch? Or are you in the "finish/" directory of downloaded course code? Please, search for "setPlainPassword" and "setPassword" calls in your code base and ensure you call these methods in right places. Probably you did some extra calls of these methods for debugging and forget to remove it later.
Cheers!
Hi Victor,
Thanks for reply, It works now.
Thank you for this amazing tuto <3
I've noticed that you didn't use the salt mécanisme, I don't know why? all what I know is the primary function of salts is to defend against dictionary attacks or against its hashed equivalent, a pre-computed rainbow table attack.
So we just use salts to encode our password for more sécurity.
I'm asking how we can use salts ? maybe, some explanation about the mécanisme ...
Hi ahmedbhs!
Ah, very good question! I'm not using the salt for one very important reason: in
security.yml, we configure out encoder to us the bcrypt algorithm. This algorithm does salting automatically: it includes the a salt automatically in the encoded password. So, we're returning null from getSalt() only because this encode does not require us to pass it a salt, it computes the salt automatically (which I believe is more secure anyways).So, it's good news! You are using a salt... but you didn't need to do any work for it ;).
Cheers!
I've noticed that setting password to null in setPlainPassword method may lead to unwanted behaviour:
https://symfony.com/doc/cur...
It makes the constraint UserPassword to always return incorrect password in my change password form:
https://justpaste.it/19pfj
Is there any work around?
Hey Ángel Manuel Marqués Ruiz
Great question, and you are right, it may lead to weird behaviour, so you could add a "updatedAt" field to your entity, and change that field
Cheers!
After we define $plainPassword, then we can never migrate this class without Doctrine adding a plainpassword column to our User table?
Hey Moises,
Note that we do not add @ORM\Column() annotation for plainPassword field, so the column won't be added to the User table.
Cheers!
Oh yea. I see that now. Is there another video showing how to edit a user information? I tried copying the addAction and added this....
I get an error Unable to guess how to get a Doctrine instance from the request information for parameter "user".
Hey Moises Cano
Can you show me how you defined your Route ? Look's like you are missing the User's wildcard
Cheers!
/**
* @Route("/edit/{usrid}", name="user_edit")
*/
Cool, you are not missing it, but, in order to work, it must be the name of an unique property (e.g. id, slug). So just change "usrid" to "id" or to whatever you named your id property on User class
Cheers!
"Houston: no signs of life"
Start the conversation!