Clarify how password check is done.

cakephp · Sep 28, 2016 · e3eeb15 · e3eeb15
1 parent cca4b87
commit e3eeb15
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/en/controllers/components/authentication.rst b/en/controllers/components/authentication.rst
@@ -164,6 +164,13 @@ the following keys:
 - ``opaque`` A string that must be returned unchanged by clients. Defaults
   to ``md5($config['realm'])``.
 
+.. note::
+    To find the user record, the database is queried only using username.
+    The password check is done in PHP. This is necessary because hashing
+    algorightms like bcrypt (which is used by default) generate a new hash
+    each time, even for same string and you can't just do simple string
+    comparision in SQL to check if password matches.
+
 Customizing Find Query
 ----------------------