I had the same problem, and some others ..I use the Auth components but made few changes in the application wihtout modifications to the core :
- do not use the name "password" in the views (login or other user management views), but another "dummy" name. Handle this dummy name (hash or whatever and replace in your password field) prior to save. - do not use the login function of Auth component direct. Instead make your own "login" method and pass the id of your user record to the Auth component => it will read the record using the id (not comparing password), ans store the User record in session. Hope this helps On Sep 6, 1:33 pm, MrTufty <[EMAIL PROTECTED]> wrote: > Hi all, > > Just a quick question - I've searched, but found nothing definitive. > > I'm building my site with Cake and I've decided to use the built-in > ACL/Auth stuff rather than write my own (mostly because I'm sure > you're all a lot smarter than I am, and if it works for you, then > it'll probably work for me). > > However... I'm not a fan of the way that the passwords appear to be > getting hashed, using the CAKE_SESSION_STRING as a salt value. In > general I prefer to generate a random salt value for each user. Ok, it > means an extra DB query (to retrieve the user's salt value) for pretty > much every page request, but I think that it's worth it from the point > of view of security (I'm paranoid I guess). > > I've just successfully built a site using a system like this (non-Cake > though - my employers balked at my previous Cake sites because my > colleagues couldn't understand the code - they said they needed to go > on a training course to figure it out!). > > Is there a way to make my Cake site salt/hash the passwords in this > way? If so, where should I be making changes/overriding functions in > order to make it happen? > > Thanks! > > Steve --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
