Magento: 验证客户密码 How magento store password and validate password

Magento uses MD5 and salt algorithems to store password for customer as well admin user.

 

How magento create encrypted password

Magento create encrypted password with,

Mage::getModel('core/encryption')->decrypt($password);

 

Here is the logic of decrypt($password) function,

$password = "12345678";
$salt = "at";
$encyPasswod = md5($salt.$pass).":".$salt;

 

In above function, $salt is randomly generated string of two alphanumeric character.

 

How magento validate password

Bellow functiona will validate the user password,

Mage::getModel('customer/customer')->authenticate($email, $password);

 

Logic behind above function is,

$email = "[email protected]";
$password = "123456";

//Load a customer by email address
$customer = Mage::getModel('customer/customer')
->setWebsiteId(Mage::app()->getStore()->getWebsiteId())
->loadByEmail($email);

// if loaded! get stored password from database
$hash = $customer->getData("password_hash");

// Get last two digits separate by :";
$hashArr = explode(':', $hash);

public function validateHash($password, $hash)
{
     $hashArr = explode(':', $hash);
     switch (count($hashArr)) {
         case 1:
             return $this->hash($password) === $hash;
         case 2:
             return $this->hash($hashArr[1] . $password) === $hashArr[0];
     }
     Mage::throwException('Invalid hash.');
 }

 

So, it simply means that even if you have not added salt key and only MD5 text as password, login will work.

(https://techbandhu.wordpress.com/2013/08/29/how-magento-store-password-and-validate-password-magento/)

 

实例：

1. 客户端  To get Customers authenticated
   

   // Or whatever the path to your app/Mage.php happens to be ...
   require_once( dirname(__FILE__).'/app/Mage.php' );
   
   // Initialize Magento ...
   Mage::app("default");
   
   // Set the variables that we care about.
   $id = 1;  // The Store ID.  Since Magento can handle multiples, this may change.
   $username = '[email protected]';  // Their email address / username (the same thing)
   $password = 'theirpassword';  // Their password.
   	
   try{
   	$blah = Mage::getModel('customer/customer')->setWebsiteId($id)->authenticate($username, $password);
   }catch( Exception $e ){
   	$blah = false;
   }

    
2. 后台 To get Customersadmins

   // Or whatever the path to your app/Mage.php happens to be ...
   require_once( dirname(__FILE__).'/app/Mage.php' );
   
   // Initialize Magento ...
   Mage::app("default");
   
   // Set the variables that we care about.
   $username = 'admin';  // Or whatever username we're going with.
   $password = 'password'; // Obviously, replace this with whatever the actual password you're looking to validate is.
   
   $blah = Mage::getModel('admin/user')->authenticate($username, $password);

    

After either of these blocks of code, depending on whether you’re validating an admin or customer, $blah will contain TRUE for it being valid, or FALSE for it being invalid!

 

转自：Magento: 验证客户密码 How magento store password and validate password