@@ -120,273 +120,6 @@ and to allow anonymous users to the login form page.
120120
121121This option is explained in detail in :doc: `/security/access_control `.
122122
123- .. _encoders :
124-
125- hashers
126- -------
127-
128- This option defines the algorithm used to *hash * the password of the users
129- (which in previous Symfony versions was wrongly called *"password encoding" *).
130-
131- If your app defines more than one user class, each of them can define its own
132- hashing algorithm. Also, each algorithm defines different config options:
133-
134- .. configuration-block ::
135-
136- .. code-block :: yaml
137-
138- # config/packages/security.yaml
139- security :
140- # ...
141-
142- password_hashers :
143- # auto hasher with default options
144- App\Entity\User : ' auto'
145-
146- # auto hasher with custom options
147- App\Entity\User :
148- algorithm : ' auto'
149- cost : 15
150-
151- # Sodium hasher with default options
152- App\Entity\User : ' sodium'
153-
154- # Sodium hasher with custom options
155- App\Entity\User :
156- algorithm : ' sodium'
157- memory_cost : 16384 # Amount in KiB. (16384 = 16 MiB)
158- time_cost : 2 # Number of iterations
159-
160- # MessageDigestPasswordHasher hasher using SHA512 hashing with default options
161- App\Entity\User : ' sha512'
162-
163- code-block :: xml
164-
165- <!-- config/packages/security.xml -->
166- <?xml version =" 1.0" encoding =" UTF-8"
167- <srv : container xmlns =" http://symfony.com/schema/dic/security"
168- xmlns : xsi =" http://www.w3.org/2001/XMLSchema-instance"
169- xmlns : srv =" http://symfony.com/schema/dic/services"
170- xsi : schemaLocation =" http://symfony.com/schema/dic/services
171- https://symfony.com/schema/dic/services/services-1.0.xsd
172- http://symfony.com/schema/dic/security
173- https://symfony.com/schema/dic/security/security-1.0.xsd" >
174-
175- <config >
176- <!-- ... -->
177- <!-- auto hasher with default options -->
178- <security : password-hasher
179- class =" App\Entity\User"
180- algorithm =" auto"
181- />
182-
183- <!-- auto hasher with custom options -->
184- <security : password-hasher
185- class =" App\Entity\User"
186- algorithm =" auto"
187- cost =" 15"
188- />
189-
190- <!-- Sodium hasher with default options -->
191- <security : password-hasher
192- class =" App\Entity\User"
193- algorithm =" sodium"
194- />
195-
196- <!-- Sodium hasher with custom options -->
197- <!-- memory_cost: amount in KiB. (16384 = 16 MiB)
198- time_cost: number of iterations -->
199- <security : password-hasher
200- class =" App\Entity\User"
201- algorithm =" sodium"
202- memory_cost =" 16384"
203- time_cost =" 2"
204- />
205-
206- <!-- MessageDigestPasswordHasher hasher using SHA512 hashing with default options -->
207- <security : password-hasher
208- class =" App\Entity\User"
209- algorithm =" sha512"
210- />
211- </config >
212- </srv : container >
213-
214- code-block :: php
215-
216- // config/packages/security.php
217- use App\Entity\User;
218- use Symfony\Config\SecurityConfig;
219-
220- return static function (SecurityConfig $security) {
221- // ...
222-
223- // auto hasher with default options
224- $security->passwordHasher(User::class)
225- ->algorithm('auto');
226-
227- // auto hasher with custom options
228- $security->passwordHasher(User::class)
229- ->algorithm('auto')
230- ->cost(15);
231-
232- // Sodium hasher with default options
233- $security->passwordHasher(User::class)
234- ->algorithm('sodium');
235-
236- // Sodium hasher with custom options
237- $security->passwordHasher(User::class)
238- ->algorithm('sodium')
239- ->memoryCost(16384) // Amount in KiB. (16384 = 16 MiB)
240- ->timeCost(2); // Number of iterations
241-
242- // MessageDigestPasswordHasher hasher using SHA512 hashing with default options
243- $security->passwordHasher(User::class)
244- ->algorithm('sha512');
245- };
246-
247- versionadded :: 5.3
248-
249- The ``password_hashers `` option was introduced in Symfony 5.3. In previous
250- versions it was called ``encoders ``.
251-
252- .. tip ::
253-
254- You can also create your own password hashers as services and you can even
255- select a different password hasher for each user instance. Read
256- :doc: `this article </security/named_hashers >` for more details.
257-
258- .. tip ::
259-
260- Hashing passwords is resource intensive and takes time in order to generate
261- secure password hashes. In tests however, secure hashes are not important, so
262- you can change the password hasher configuration in ``test `` environment to
263- run tests faster:
264-
265- .. configuration-block ::
266-
267- .. code-block :: yaml
268-
269- # config/packages/test/security.yaml
270- password_hashers :
271- # Use your user class name here
272- App\Entity\User :
273- algorithm : auto # This should be the same value as in config/packages/security.yaml
274- cost : 4 # Lowest possible value for bcrypt
275- time_cost : 3 # Lowest possible value for argon
276- memory_cost : 10 # Lowest possible value for argon
277-
278- code-block :: xml
279-
280- <!-- config/packages/test/security.xml -->
281- <?xml version =" 1.0" encoding =" UTF-8"
282- <srv : container xmlns =" http://symfony.com/schema/dic/security"
283- xmlns : xsi =" http://www.w3.org/2001/XMLSchema-instance"
284- xmlns : srv =" http://symfony.com/schema/dic/services"
285- xsi : schemaLocation =" http://symfony.com/schema/dic/services
286- https://symfony.com/schema/dic/services/services-1.0.xsd" >
287-
288- <config >
289- <!-- class: Use your user class name here -->
290- <!-- algorithm: This should be the same value as in config/packages/security.yaml -->
291- <!-- cost: Lowest possible value for bcrypt -->
292- <!-- time_cost: Lowest possible value for argon -->
293- <!-- memory_cost: Lowest possible value for argon -->
294- <security : password-hasher
295- class =" App\Entity\User"
296- algorithm =" auto"
297- cost =" 4"
298- time_cost =" 3"
299- memory_cost =" 10"
300- />
301- </config >
302- </srv : container >
303-
304- code-block :: php
305-
306- // config/packages/test/security.php
307- use App\Entity\User;
308- use Symfony\Config\SecurityConfig;
309-
310- return static function (SecurityConfig $security) {
311- // ...
312-
313- // Use your user class name here
314- $security->passwordHasher(User::class)
315- ->algorithm('auto') // This should be the same value as in config/packages/security.yaml
316- ->cost(4) // Lowest possible value for bcrypt
317- ->timeCost(2) // Lowest possible value for argon
318- ->memoryCost(10) // Lowest possible value for argon
319- ;
320- };
321-
322-
323- reference-security-encoder-auto :
324- .. _using-the-auto-password-encoder :
325-
326- Using the "auto" Password Hasher
327- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
328-
329- It automatically selects the best available hasher. Starting from Symfony 5.3,
330- it uses the Bcrypt hasher. If PHP or Symfony adds new password hashers in the
331- future, it might select a different hasher.
332-
333- Because of this, the length of the hashed passwords may change in the future, so
334- make sure to allocate enough space for them to be persisted (``varchar(255) ``
335- should be a good setting).
336-
337- .. _reference-security-encoder-bcrypt :
338-
339- Using the Bcrypt Password Hasher
340- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
341-
342- It produces hashed passwords with the `bcrypt password hashing function `_.
343- Hashed passwords are ``60 `` characters long, so make sure to
344- allocate enough space for them to be persisted. Also, passwords include the
345- `cryptographic salt `_ inside them (it's generated automatically for each new
346- password) so you don't have to deal with it.
347-
348- Its only configuration option is ``cost ``, which is an integer in the range of
349- ``4-31 `` (by default, ``13 ``). Each single increment of the cost **doubles the
350- time ** it takes to hash a password. It's designed this way so the password
351- strength can be adapted to the future improvements in computation power.
352-
353- You can change the cost at any time — even if you already have some passwords
354- hashed using a different cost. New passwords will be hashed using the new
355- cost, while the already hashed ones will be validated using a cost that was
356- used back when they were hashed.
357-
358- .. tip ::
359-
360- A simple technique to make tests much faster when using BCrypt is to set
361- the cost to ``4 ``, which is the minimum value allowed, in the ``test ``
362- environment configuration.
363-
364- .. _reference-security-sodium :
365- .. _using-the-argon2i-password-encoder :
366- .. _using-the-sodium-password-encoder :
367-
368- Using the Sodium Password Hasher
369- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
370-
371- It uses the `Argon2 key derivation function `_. Argon2 support was introduced
372- in PHP 7.2 by bundeling the `libsodium `_ extension.
373-
374- The hashed passwords are ``96 `` characters long, but due to the hashing
375- requirements saved in the resulting hash this may change in the future, so make
376- sure to allocate enough space for them to be persisted. Also, passwords include
377- the `cryptographic salt `_ inside them (it's generated automatically for each new
378- password) so you don't have to deal with it.
379-
380- .. _reference-security-pbkdf2 :
381- .. _using-the-pbkdf2-encoder :
382-
383- Using the PBKDF2 Hasher
384- ~~~~~~~~~~~~~~~~~~~~~~~
385-
386- Using the `PBKDF2 `_ hasher is no longer recommended since PHP added support for
387- Sodium and BCrypt. Legacy application still using it are encouraged to upgrade
388- to those newer hashing algorithms.
389-
390123firewalls
391124---------
392125
0 commit comments