New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PHP7 - password_hash(): Use of the 'salt' option to password_hash is deprecated #16
Comments
I ran the test suite under PHP7 and removing the salt from Of course, removing the salt here as well removes all warnings but the tests fail because without the salt, different hashes are produced. I ran into this same issue while writing an integration test in PHP 5.6 earlier today. In the end I just had to test that the hash had changed rather than testing the exact output, and trust that password_hash() was doing what it was supposed to. Unless there's another way? |
You're right that the salt should be remove. It's there to force a rehash, but there's probably another, better way. Without looking at the code (I'm at a conference and still working), I'll bet we could use If that gets you where you need to go, awesome. Otherwise I'll look as soon as I can. |
One problem here is I want the library to support PHP >= 5.3.7. Removing the salt to support PHP >= 7 is necessary, but that breaks the library for earlier versions of PHP. I wonder if having two different versions of the library is the right way to go? Hmmm. |
For Regarding legacy support: does the password_compat library require a salt then? I'm not entirely familiar with it. I suppose one option would be to maintain a version 3.x branch which supports up to PHP 5.6, and have all future versions onwards only support PHP 5.5 onwards? The only other alternative would be to suppress the warning with the @ symbol. Eww 😆 |
Right, I've had a go at implementing what I've suggested above. Commits (not submitted PR yet): I've hooked up my fork to Travis and all builds are passing (including PHP 5.3) except PHP 7. There, the tests are passing but there's some kind of segfault after: This is the first time I've used Travis so I've no idea what this means. |
Blerg. That has to do with a code coverage dependency. Change this line and replace |
@garethellis36 Added a comment on your commit. |
Slightly tweaked approach following discussion on previous commit: |
garethellis36@f3d6b8f |
Geez. Bad advice! I should have some time to look this afternoon. Between the two of us we should get it worked out. |
I'm going to submit this as a PR so that the commits and discussion are together. |
Fixed in #21. |
Warning: password_hash(): Use of the 'salt' option to password_hash is deprecated
This is emitted from lines 51-54 of
UpgradeDecorator::isValid()
.I'm assuming that this is just a temporary hash that can then be re-hashed inPasswordValidator
again. And I'm guessing that you have to make sure you have a reasonably unique salt/cost orpassword_needs_rehash
will return false. Not sure what to suggest.Could the salt not be removed here? If it produces a hash which matches the options set for
PasswordValidator
then all will be good; otherwise it will just be re-hashed again byPasswordValidator
. Right?The text was updated successfully, but these errors were encountered: