Browse files

bug #3600 [Security][Authentication] Fix instructions for creating pa…

…ssword encoders (bicpi)

This PR was merged into the 2.3 branch.


[Security][Authentication] Fix instructions for creating password encoders

| Q             | A
| ------------- | ---
| Doc fix?      | yes
| New docs?     | no
| Applies to    | 2.3+
| Fixed tickets | -

Please correct me if I am wrong, but it seems that the code has changed after #3003. There is no `BasePasswordEncoder::checkPasswordLength()` method. Same seems to apply to 2.4. Maybe the implementation was changed to make it bc?


e95c1f5 [Security][Authentication] Fix instructions for creating custom password encoders
  • Loading branch information...
weaverryan committed Mar 8, 2014
2 parents e7d5a45 + e95c1f5 commit 0c41762a768c6b8979d6eb79256b65df762156fd
Showing with 30 additions and 4 deletions.
  1. +30 −4 components/security/authentication.rst
@@ -198,10 +198,36 @@ own, it just needs to follow these rules:
#. The class must implement :class:`Symfony\\Component\\Security\\Core\\Encoder\\PasswordEncoderInterface`;
#. The first line in ``encodePassword`` and ``isPasswordValid`` must check
to make sure the password is not too long (e.g. 4096). This is for security
(see `CVE-2013-5750`_), and you can copy the `BasePasswordEncoder::checkPasswordLength`_
implementation from Symfony 2.4.
#. The implementations of
must first of all make sure the password is not too long, i.e. the password length is no longer
than 4096 characters. This is for security reasons (see `CVE-2013-5750`_), and you can use the
method for this check:
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
class FoobarEncoder extends BasePasswordEncoder
public function encodePassword($raw, $salt)
if ($this->isPasswordTooLong($raw)) {
throw new BadCredentialsException('Invalid password.');
// ...
public function isPasswordValid($encoded, $raw, $salt)
if ($this->isPasswordTooLong($raw)) {
return false;
// ...
Using Password Encoders

0 comments on commit 0c41762

Please sign in to comment.