function passwordVerifyUF($password, $hash) { if (getPasswordHashTypeUF($hash) == "sha1") { $salt = substr($hash, 0, 25); // Extract the salt from the hash $hash_input = $salt . sha1($salt . $password); if ($hash_input == $hash) { return true; } else { return false; } } else { if (getPasswordHashTypeUF($hash) == "homegrown") { /*used for manual implementation of bcrypt*/ $cost = '12'; if (substr($hash, 0, 60) == crypt($password, "\$2y\$" . $cost . "\$" . substr($hash, 60))) { return true; } else { return false; } // Modern implementation } else { return password_verify($password, $hash); } } }
} else { //Passwords match! we're good to go' //Construct a new logged in user object //Transfer some db data to the session object $loggedInUser = new loggedInUser(); $loggedInUser->email = $userdetails["email"]; $loggedInUser->user_id = $userdetails["id"]; $loggedInUser->hash_pw = $userdetails["password"]; $loggedInUser->title = $userdetails["title"]; $loggedInUser->displayname = $userdetails["display_name"]; $loggedInUser->username = $userdetails["user_name"]; $loggedInUser->alerts = array(); //Update last sign in $loggedInUser->updateLastSignIn(); // Update password if we had encountered an outdated hash if (getPasswordHashTypeUF($userdetails["password"]) != "modern") { // Hash the user's password and update $password_hash = passwordHashUF($password); if ($password_hash === null) { error_log("Notice: outdated password hash could not be updated because new hashing algorithm is not supported. Are you running PHP >= 5.3.7?"); } else { $loggedInUser->hash_pw = $password_hash; updateUserField($loggedInUser->user_id, 'password', $password_hash); error_log("Notice: outdated password hash has been automatically updated to modern hashing."); } } // Create the user's CSRF token $loggedInUser->csrf_token(true); $_SESSION["userCakeUser"] = $loggedInUser; $successes = array(); $successes[] = "Welcome back, " . $loggedInUser->displayname;