After an upgrade to php7, the BCryptPasswordEncoder throws the following error, e.g. on registration when using FOSUserBundle standard registration page:
"Use of the 'salt' option to password_hash is deprecated in C:\xampp\htdocs\ascentary \vendor\symfony\symfony\src\Symfony\Component\Security\Core\Encoder\BCryptPasswordEncoder.php line 81 " at C:\xampp\htdocs\testproject\vendor\behat\behat\src\Behat\Testwork\Call\Handler\RuntimeCallHandler."
I've tracked down this issue, and the problem is the FOS UserManager class, that calls:
/**
* {@inheritDoc}
*/
public function updatePassword(UserInterface $user)
{
if (0 !== strlen($password = $user->getPlainPassword())) {
$encoder = $this->getEncoder($user);
$user->setPassword($encoder->encodePassword($password, $user->getSalt()));
$user->eraseCredentials();
}
}
Passing here $user->getSalt() throws the error, because at php7, you are not allowed anymore to pass a custom salt to bcrypt encoding / password_hash function. In addition, I see a problem in the base fos user entity, because in its constructor, the salt is set like:
$this->salt = base_convert(sha1(uniqid(mt_rand(), true)), 16, 36);
Questions:
(1) How to solve the error I posted above? Maybe overriding the UserManager, or is there a solution provided by fos?
(2) How to properly safe the salt, that is automatically being generated?
(3) Are there any other updates required, like updating the ircmaxell lib?
Upgrade to Symfony3.
BCryptPasswordEncoder.php line 75:
if ($salt) {
// Ignore $salt, the auto-generated one is always the best
}