Magento uses MD5 and salt algorithems to store password for customer as well admin user.
How magento create encrypted password
Magento create encrypted password with,
Mage::getModel('core/encryption')->decrypt($password);
Here is the logic of decrypt($password) function,
$password = "12345678"; $salt = "at"; $encyPasswod = md5($salt.$pass).":".$salt;
In above function, $salt is randomly generated string of two alphanumeric character.
How magento validate password
Bellow functiona will validate the user password,
Mage::getModel('customer/customer')->authenticate($email, $password);
Logic behind above function is,
$email = "[email protected]"; $password = "123456"; //Load a customer by email address $customer = Mage::getModel('customer/customer') ->setWebsiteId(Mage::app()->getStore()->getWebsiteId()) ->loadByEmail($email); // if loaded! get stored password from database $hash = $customer->getData("password_hash"); // Get last two digits separate by :"; $hashArr = explode(':', $hash); public function validateHash($password, $hash) { $hashArr = explode(':', $hash); switch (count($hashArr)) { case 1: return $this->hash($password) === $hash; case 2: return $this->hash($hashArr[1] . $password) === $hashArr[0]; } Mage::throwException('Invalid hash.'); }
So, it simply means that even if you have not added salt key and only MD5 text as password, login will work.
实例:
- 客户端 To get Customers authenticated
// Or whatever the path to your app/Mage.php happens to be ... require_once( dirname(__FILE__).'/app/Mage.php' ); // Initialize Magento ... Mage::app("default"); // Set the variables that we care about. $id = 1; // The Store ID. Since Magento can handle multiples, this may change. $username = '[email protected]'; // Their email address / username (the same thing) $password = 'theirpassword'; // Their password. try{ $blah = Mage::getModel('customer/customer')->setWebsiteId($id)->authenticate($username, $password); }catch( Exception $e ){ $blah = false; }
- 后台 To get Customersadmins
// Or whatever the path to your app/Mage.php happens to be ... require_once( dirname(__FILE__).'/app/Mage.php' ); // Initialize Magento ... Mage::app("default"); // Set the variables that we care about. $username = 'admin'; // Or whatever username we're going with. $password = 'password'; // Obviously, replace this with whatever the actual password you're looking to validate is. $blah = Mage::getModel('admin/user')->authenticate($username, $password);
After either of these blocks of code, depending on whether you’re validating an admin or customer, $blah
will contain TRUE
for it being valid, or FALSE
for it being invalid!
转自:Magento: 验证客户密码 How magento store password and validate password