Magento uses MD5 and salt algorithems to store password for customer as well admin user.
How magento create encrypted password
Magento create encrypted password with,
Mage::getModel('core/encryption')->decrypt($password);
Here is the logic of decrypt($password) function,
$password = "12345678";
$salt = "at";
$encyPasswod = md5($salt.$pass).":".$salt;
In above function, $salt is randomly generated string of two alphanumeric character.
How magento validate password
Bellow functiona will validate the user password,
Mage::getModel('customer/customer')->authenticate($email, $password);
Logic behind above function is,
$email = "techbandhus@gmail.com";
$password = "123456";
//Load a customer by email address
$customer = Mage::getModel('customer/customer')
->setWebsiteId(Mage::app()->getStore()->getWebsiteId())
->loadByEmail($email);
// if loaded! get stored password from database
$hash = $customer->getData("password_hash");
// Get last two digits separate by :";
$hashArr = explode(':', $hash);
public function validateHash($password, $hash)
{
$hashArr = explode(':', $hash);
switch (count($hashArr)) {
case 1:
return $this->hash($password) === $hash;
case 2:
return $this->hash($hashArr[1] . $password) === $hashArr[0];
}
Mage::throwException('Invalid hash.');
}
So, it simply means that even if you have not added salt key and only MD5 text as password, login will work.
实例:
- 客户端 To get Customers authenticated
// Or whatever the path to your app/Mage.php happens to be ... require_once( dirname(__FILE__).'/app/Mage.php' ); // Initialize Magento ... Mage::app("default"); // Set the variables that we care about. $id = 1; // The Store ID. Since Magento can handle multiples, this may change. $username = 'their.email@their.domain.com'; // Their email address / username (the same thing) $password = 'theirpassword'; // Their password. try{ $blah = Mage::getModel('customer/customer')->setWebsiteId($id)->authenticate($username, $password); }catch( Exception $e ){ $blah = false; }
- 后台 To get Customersadmins
// Or whatever the path to your app/Mage.php happens to be ... require_once( dirname(__FILE__).'/app/Mage.php' ); // Initialize Magento ... Mage::app("default"); // Set the variables that we care about. $username = 'admin'; // Or whatever username we're going with. $password = 'password'; // Obviously, replace this with whatever the actual password you're looking to validate is. $blah = Mage::getModel('admin/user')->authenticate($username, $password);
After either of these blocks of code, depending on whether you’re validating an admin or customer, $blah
will contain TRUE
for it being valid, or FALSE
for it being invalid!
转自:Magento: 验证客户密码 How magento store password and validate password