Only add salt to password_hash on PHP < 7 #16014
Conversation
|
Ignoring the salt would also work on older PHP versions. Though I think it's not expected behaviour to simply ignore the salt if it is passed. So I am 👎 on this change. |
|
IMO, the behavior should be consistent: if the user pass a salt, we use it. |
|
According to @ircmaxell: "One thing has become abundantly clear to me: the salt option is I've come to the conclusion that I don't think we should allow users So I don't think it is a good idea to keep allowing users to pass a salt since the recommended way is to rely on the internal salt generation. And it might be promoting bad practices if we know it's not safe but still allow it |
|
Well, we could think about deprecating the ability to pass a salt. At least, that would be less confusing and would step away from silently allow insecure usage of the encoder. |
|
Indeed, doing the same as PHP |
|
@pierredup Do you plan to finish this one in the near future? |
|
@fabpot I'm not exactly sure what to do here. |
|
My suggestion would be to always generate the salt yourself. Never accept a passed in salt. There is no reason to accept a non-generated one, especially if you use standard algorithms. This is a BC break though, so perhaps deprecate it first. |
|
Replaced by #16459 |
…ordEncoder::encodePassword() (nicolas-grekas) This PR was merged into the 2.8 branch. Discussion ---------- [Security\Core] Deprecate passing $salt to BCryptPasswordEncoder::encodePassword() | Q | A | ------------- | --- | Bug fix? | no | New feature? | no | BC breaks? | no | Deprecations? | yes | Tests pass? | yes | Fixed tickets | #16014 | License | MIT | Doc PR | - Commits ------- 770bd8c [Security\Core] Deprecate passing $salt to BCryptPasswordEncoder::encodePassword()
The
saltoption for thepassword_hashfunction is deprecated since PHP 7, so it should not be added when running on PHP 7