Zf has mcrypt component that can decode too. As about storing password in remember me login cookie, would it be good to encode/decode it or still better to forget about creating remember login option on login form?
How do you mean, encode/decode? Do you mean to say you have user’s passwords stored plain text in your database? If so, that is horrible practice and you should stop it immediately. Yes, right now!
As for your question, neither. What you do is you associate a special random key to the user (something like sha1(microtime()), save that in the database, and also save it in the cookie. It also doesn’t hurt to refresh this value every once in a while.
Of course this is not plain. I am using password_hash in db. I meant how to save login credentials in cookie to auto-fill login form next time if remeber login was checked last time. Since yhe plain password is not available from db, how to suto-fill in login form is remember me was checked?
Then with that secret key in cookie and in db as you suggested how to auto-fill in login form that user can submit to get logged in?
You don’t fill in the login form. You check if they are logged in and if they are not you check if you can log them in using the code. What you’re describing sounds like autocomplete, what browsers do automatically (unless you don’t want them to, which you should)
Since browsers offer option to remember login data, would you personally offer the option to auto-login as you described or better to forget this option at all?
Can you also help for regexp to check whether a string has password_hash option or or not?
You’re comparing apples and oranges. What you’re describing is a system where when you come back to the page your username and password are already filled in for you. If you ever wanted to do this I would do it for the username only (like gmail does), but never for the password, not even encrypted. Cookies are simply not the place for passwords, in whichever form.
What I was talking about is a “remember me” option, where you stay logged in even if the session has long since expired, like here on the forums.
Why do you need that? If you’re mixing an old and a new system you could just do
if (!password_verify($user_password, $db_hash))
{
if (!old_custom_password_verify_method($user_password, $db_hash))
{
throw new \\Exception('Failed to login!');
}
else
{
set_user_password($user, password_hash($user_password));
// login ok. handle login details.
}
}
else
{
// login ok. handle login details.
}
Where $user_password is a password you got from the user, e.g., via $_POST
no, I need regexp for some other purposes, Please help with regexp.
I have no idea where to even start, and since I’m not doing all the work for you (that’s not what forums are for), I suggest you get a definition of what a password_hash’ed password looks like and we’ll take it from there. Deal?
Looks like this:
The format is like this,
$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a
$2y$12$QjSH496pcT5CEbzjD/vtVeH03tfHKFy36d4J0Ltp3lRtee9HDxY3K
first 4 characters is this: $2y$
then the cost that might be 1 or 2 digits then again $
so:
$2y$10$
or
$2y$1$
then the entire string length is minimum 60.
Now can you help with regexp?
^\$2y\$\d{2}\$[a-zA-Z0-9/]{53,}$
That should do it 
^ - make sure the first thing we match matches at the start of the string
\$ - match a $ literally
2y - match 2y literally
\$ - match a $ literally
\d{2} - match any two digits in a row (exactly two, not more, not less)
\$ - match a $ literally
[a-zA-Z0-9/]{53,} - match at least 53 letters and/or digits, and/or slashes, bringing the total string up to at least 60 since the start of the string is 7 characters long.
$ - make sure the end of the string is here, i.e., don’t match if anything follows after this point
example
preg_match(
'~^\\$2y\\$\\d{2}\\$[a-zA-Z0-9/]{53,}~',
'$2y$12$QjSH496pcT5CEbzjD/vtVeH03tfHKFy36d4J0Ltp3lRtee9HDxY3K',
$results
);
var_dump($results);
// array(1) { [0]=> string(60) "$2y$12$QjSH496pcT5CEbzjD/vtVeH03tfHKFy36d4J0Ltp3lRtee9HDxY3K" }
Thanks a lot. Just a very very small mistake, at the start depending that digits is one or two, it may not be always 7 but may be 6 too. So better to assume it as 7 as you suggested. Because if we change 53 then start will be 6 it may or may not work! Now I should create a function old_password_hash snd put this regext in that function. Or the function you suggested is an already made function that i am not aware of?!
Oh no! I said this is min. 60 chars not max.! So what changes should I do?
Replace {53,} with {,53}
As for your other question, what are you trying to do exactly?
I want to create a fubction old_password($new , $old) to pass two passwords to it, if the regexp does NOT match returns true, saying yes this is old, and if regexp match returns false saying no this is not old. How is that function?
why do you want that function? what do you need it for?
I need to check if a string is already password_hashed, don’t password_hash it again. Please just give the func. I need it.
I already gave you the regular expression and an example use. Writing a function for this is not hard. I’ll leave you to write it, I’m not your code monkey.
Hey man!! Why are saying monkey! I never did offend you!
I’m not saying you’re a monkey. I’m saying I’m not your code monkey. Which means I’m not here only to write code for you. You already have the regular expression, you figure out how to write that function. It’s really not that hard.