From 17999cfd34ba951eb7cff08b517acdb262e497cb Mon Sep 17 00:00:00 2001 From: Roberto Lombi Date: Fri, 28 Feb 2014 13:29:19 +0100 Subject: [PATCH 1/2] Wrong parameters order and wrong naming Wrong parameters order and wrong naming on "Using Password Encoders" section --- components/security/authentication.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/security/authentication.rst b/components/security/authentication.rst index 11afefa23ff..f010e4cac7e 100644 --- a/components/security/authentication.rst +++ b/components/security/authentication.rst @@ -249,8 +249,8 @@ which should be used to encode this user's password:: // check if the password is valid: $validPassword = $encoder->isPasswordValid( + $encodedPassword, $user->getPassword(), - $password, $user->getSalt()); .. _`CVE-2013-5750`: http://symfony.com/blog/cve-2013-5750-security-issue-in-fosuserbundle-login-form From 02f072a667ce2ef2d9227bd0e24da74614da411a Mon Sep 17 00:00:00 2001 From: WouterJ Date: Wed, 21 May 2014 11:16:20 +0200 Subject: [PATCH 2/2] Applied comments --- components/security/authentication.rst | 28 +++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/components/security/authentication.rst b/components/security/authentication.rst index f010e4cac7e..3abba44dea3 100644 --- a/components/security/authentication.rst +++ b/components/security/authentication.rst @@ -237,21 +237,35 @@ method of the password encoder factory is called with the user object as its first argument, it will return an encoder of type :class:`Symfony\\Component\\Security\\Core\\Encoder\\PasswordEncoderInterface` which should be used to encode this user's password:: - // fetch a user of type Acme\Entity\LegacyUser - $user = ... + // a Acme\Entity\LegacyUser instance + $user = ...; + + // the password that was submitted, e.g. when registering + $plainPassword = ...; $encoder = $encoderFactory->getEncoder($user); // will return $weakEncoder (see above) + $encodedPassword = $encoder->encodePassword($plainPassword, $user->getSalt()); + + $user->setPassword($encodedPassword); - $encodedPassword = $encoder->encodePassword($password, $user->getSalt()); + // ... save the user - // check if the password is valid: +Now, when you want to check if the submitted password (e.g. when trying to log +in) is correct, you can use:: + + // fetch the Acme\Entity\LegacyUser + $user = ...; + + // the submitted password, e.g. from the login form + $plainPassword = ...; $validPassword = $encoder->isPasswordValid( - $encodedPassword, - $user->getPassword(), - $user->getSalt()); + $user->getPassword(), // the encoded password + $plainPassword, // the submitted password + $user->getSalt() + ); .. _`CVE-2013-5750`: http://symfony.com/blog/cve-2013-5750-security-issue-in-fosuserbundle-login-form .. _`BasePasswordEncoder::checkPasswordLength`: https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php