= Yii 2 Basic Application Template = == Improved Password Security == By default, the basic template comes with plain text password support in file ''@app/models/User.php''. To improve this to use a password hash with salt, we must do some changes. Model file ''@app/models/User'' class User extends \yii\base\Object implements \yii\web\IdentityInterface { public $id; public $username; //public $password; // Remove plain password support public $authKey; public $accessToken; public $passwordHash; // Use password hash. Generated like... password_hash("User'sPassword", PASSWORD_DEFAULT); private static $users = [ '100' => [ 'id' => '100', 'username' => 'admin', 'authKey' => 'test100key', 'accessToken' => '100-token', 'passwordHash' => '$2y$10$/lVWm8iL07.zoBE.7nM8ueDSPiR8XwxyoAuZPfCclPZ3PscOXM.KK' // 123admin ], ... ]; /** * Find username for specified userid. * * @id integer $id of user to search. * @return string Username if found, 'N/A' if not found. */ public static function findUsername($id) { $usr = isset(self::$users[$id]) ? new static(self::$users[$id]) : null; if (count($usr) > 0) { return $usr->username; } else { return 'N/A'; } } ... /** * Validates password * * @param string $password password to validate * @return boolean if password provided is valid for current user */ public function validatePassword($password) { //return $this->password === $password; // disable plain password support return password_verify($password, $this->passwordHash); // enable password hash support } } Model file ''@app/models/PasswordForm'' hasErrors()) { $this->addError($attribute, 'Invalid or unsupported password.'); } } public function encrypt() { if ($this->validate()) { return password_hash($this->password, PASSWORD_DEFAULT); // hash //return $this->password; // plain } return false; } } Password generation view. This is a tool to help generate passwords for the User model. Copy the password here and enter it in file ''@app/models/User.php'' as a passworHash for the required user. Eg: 'passwordHash' => '$2y$10$/lVWm8iL07.zoBE.7nM8ueDSPiR8XwxyoAuZPfCclPZ3PscOXM.KK' // 123admin View ''@app/views/site/password'' title = 'Password Encryption'; $this->params['breadcrumbs'][] = $this->title; ?>

title) ?>

Enter a password to encrypt:

'login-form', 'options' => ['class' => 'form-horizontal'], 'fieldConfig' => [ 'template' => "{label}\n
{input}
\n
{error}
", 'labelOptions' => ['class' => 'col-lg-1 control-label'], ], ]); ?> field($model, 'password')->passwordInput() ?>
'btn btn-primary', 'name' => 'encrypt-button']) ?>
View ''@app/views/layout/main'' to call ''password'' view: echo Nav::widget([ 'options' => ['class' => 'navbar-nav navbar-right'], 'items' => [ ['label' => 'Home', 'url' => ['/site/index']], // Admin menu only !Yii::$app->user->isGuest && Yii::$app->user->identity->username === 'admin' ? ['label' => 'Admin', 'url' => ['/site/admin'], 'items' => [ ... ['label' => 'Encrypt User Password', 'url' => ['/site/password']], ]] : '', ], ]); NavBar::end(); ?> Controller ''@app/controllers/SiteController'' to display ''password'' view: use app\models\PasswordForm; ... class SiteController extends Controller { public function behaviors() { return [ 'access' => [ 'class' => AccessControl::className(), 'rules' => [ [ 'actions' => [..., 'password'], 'allow' => true, 'roles' => ['@'], // @ = Authenticated users ], ... ], ], ... ]; } ... public function actionPassword() { $encrypted_password = ''; $model = new PasswordForm(); if ($model->load(Yii::$app->request->post()) && $model->encrypt()) { Yii::$app->session->setFlash('Password encrypted'); $encrypted_password = $model->encrypt(); } return $this->render('password', [ 'model' => $model, 'encrypted_password' => $encrypted_password, ]); } }