function passwordVerifyUF($password, $hash)
{
if (getPasswordHashTypeUF($hash) == "sha1") {
$salt = substr($hash, 0, 25);
// Extract the salt from the hash
$hash_input = $salt . sha1($salt . $password);
if ($hash_input == $hash) {
return true;
} else {
return false;
}
} else {
if (getPasswordHashTypeUF($hash) == "homegrown") {
/*used for manual implementation of bcrypt*/
$cost = '12';
if (substr($hash, 0, 60) == crypt($password, "\$2y\$" . $cost . "\$" . substr($hash, 60))) {
return true;
} else {
return false;
}
// Modern implementation
} else {
return password_verify($password, $hash);
}
}
}
} else {
//Passwords match! we're good to go'
//Construct a new logged in user object
//Transfer some db data to the session object
$loggedInUser = new loggedInUser();
$loggedInUser->email = $userdetails["email"];
$loggedInUser->user_id = $userdetails["id"];
$loggedInUser->hash_pw = $userdetails["password"];
$loggedInUser->title = $userdetails["title"];
$loggedInUser->displayname = $userdetails["display_name"];
$loggedInUser->username = $userdetails["user_name"];
$loggedInUser->alerts = array();
//Update last sign in
$loggedInUser->updateLastSignIn();
// Update password if we had encountered an outdated hash
if (getPasswordHashTypeUF($userdetails["password"]) != "modern") {
// Hash the user's password and update
$password_hash = passwordHashUF($password);
if ($password_hash === null) {
error_log("Notice: outdated password hash could not be updated because new hashing algorithm is not supported. Are you running PHP >= 5.3.7?");
} else {
$loggedInUser->hash_pw = $password_hash;
updateUserField($loggedInUser->user_id, 'password', $password_hash);
error_log("Notice: outdated password hash has been automatically updated to modern hashing.");
}
}
// Create the user's CSRF token
$loggedInUser->csrf_token(true);
$_SESSION["userCakeUser"] = $loggedInUser;
$successes = array();
$successes[] = "Welcome back, " . $loggedInUser->displayname;
