Ticket #2182 (closed enhancement: fixed)
Gestion des mots de passe
| Reported by: | franck | Owned by: | franck |
|---|---|---|---|
| Priority: | normal | Milestone: | 2.13 |
| Component: | module:auth | Version: | 2.9 |
| Severity: | normal | Keywords: | |
| Cc: |
Description (last modified by franck) (diff)
Il serait bien de prévoir l'utilisation des fonctions password_…() de PHP 5.5 qui sont largement plus robustes que celles utilisées aujourd'hui, même avec les dernières modifs qui permettent par exemple le SHA512.
Ça permettrait aussi de s'affranchir, pour les mots de passe, du DC_MASTER_KEY.
Il existe une librairie qui permet de l'implémenter en PHP 5.3.7 → https://github.com/ircmaxell/password_compat (voir les requirements).
Change History
comment:2 Changed 9 years ago by franck
- Description modified (diff)
La fonction password_needs_rehash() est intéressante car elle permettra une transition douce des mots de passe.
comment:10 Changed 8 years ago by franck <carnet.franck.paul@…>
- Status changed from new to closed
- Resolution set to fixed
(In [ff5f89054250]) Fixes tpl:sysIf blog_lang generated code, closes #2182
comment:11 Changed 8 years ago by franck
- Status changed from closed to reopened
- Resolution fixed deleted
comment:12 Changed 8 years ago by franck <carnet.franck.paul@…>
- Status changed from reopened to closed
- Resolution set to fixed
(In [9bccfc2257ad]) Use PHP 5.5+ new password functions, closes #2182
Warnings:
- $core->auth->crypt($pwd) doesn't return twice the same result for a single $pwd, so if you need this old behaviour use the $core->auth->cryptLegacy($pwd) instead.
- $core->auth->checkPassword($pwd) must be used with an uncrypted password string as argument.
- if you need a unique UID/key, use http::browserUID(DC_MASTER_KEY.$core->auth->userID().$core->auth->cryptLegacy($core->auth->userID())). (may be refined in future)
Note: See
TracTickets for help on using
tickets.
Un bon argument pour imposer PHP 5.4 mini à partir de la 2.11, voire avant.