PhpassHashedPassword::check

public PhpassHashedPassword::check($password, $hash)

Check whether a plain text password matches a hashed password.

Parameters

string $password: A plain-text password

string $hash: A hashed password.

Return value

bool TRUE if the password is valid, FALSE if not.

Overrides PasswordInterface::check

File

core/lib/Drupal/Core/Password/PhpassHashedPassword.php, line 221

Class

PhpassHashedPassword
Secure password hashing functions based on the Portable PHP password hashing framework.

Namespace

Drupal\Core\Password

Code

public function check($password, $hash) {
  if (substr($hash, 0, 2) == 'U$') {
    // This may be an updated password from user_update_7000(). Such hashes
    // have 'U' added as the first character and need an extra md5() (see the
    // Drupal 7 documentation).
    $stored_hash = substr($hash, 1);
    $password = md5($password);
  }
  else {
    $stored_hash = $hash;
  }

  $type = substr($stored_hash, 0, 3);
  switch ($type) {
    case '$S$':
      // A normal Drupal 7 password using sha512.
      $computed_hash = $this->crypt('sha512', $password, $stored_hash);
      break;
    case '$H$':
      // phpBB3 uses "$H$" for the same thing as "$P$".
    case '$P$':
      // A phpass password generated using md5.  This is an
      // imported password or from an earlier Drupal version.
      $computed_hash = $this->crypt('md5', $password, $stored_hash);
      break;
    default:
      return FALSE;
  }

  // Compare using hashEquals() instead of === to mitigate timing attacks.
  return $computed_hash && Crypt::hashEquals($stored_hash, $computed_hash);
}
doc_Drupal
2016-10-29 09:33:49
Comments
Leave a Comment

Please login to continue.