Sign Up:
$users->setSalt(md5(time()));
$encoder = new MessageDigestPasswordEncoder('sha1', true, 1);
$password = $encoder->encodePassword($users->getPassword(), $users->getSalt());
$users->setPassword($password);
The result is something like this: qSmJxDmP8WhVJZIiJpeVLJFLnio= So, the password is safe. But how to check is it the same password when the user try to login? (password came from the form is it equals to password in database)
I'm confused because there have salt, which is every time unique. What is better technique?
@Deepak's comment is correct. Salt is not meant to be unique on every request. It is meant to be unique universally, and assigned quasi-permanently to the user's account.
You store the same salt value that was used to create the password hash when the password was set.
Then when you check the password supplied by the user, you use the same salt value, compute a new hash, and compare that to the stored hash. If they match, you have a winner.
Your passwords are stored as salts, no?
session_start();
Have a logIn() function to verify every secure action with a logOut(), query your DB by username from either $_POST['username'] or $_SESSION['username']
$user = DB_QUERY_BY_USERNAME;
if ( !$user ) { logOut(); }
if ( $_POST['username'] && $_POST['password'] )
{
if ( $user['password'] != md5( $_POST['password'] . $user['salt'] ) )
{
logOut();
}
}
else if ( $_SESSION['username'] != $user['username'] )
{
logOut();
}
// Logged in, renew cookies, update DB, set $_SESSION variables
$_SESSION['username'] = $user['username'];