Magento: 验证客户密码 How magento store password and validate password

原创

zhangying2001 2015-12-12 07:25:46 ©著作权

©著作权归作者所有：来自51CTO博客作者zhangying2001的原创作品，请联系作者获取转载授权，否则将追究法律责任

Magento uses MD5 and salt algorithems to store password for customer as well admin user.

How magento create encrypted password

Magento create encrypted password with,

Mage::getModel('core/encryption')->decrypt($password);

Here is the logic of decrypt($password) function,

$password = "12345678";
$salt = "at";
$encyPasswod = md5($salt.$pass).":".$salt;

In above function, $salt is randomly generated string of two alphanumeric character.

How magento validate password

Bellow functiona will validate the user password,

Mage::getModel('customer/customer')->authenticate($email, $password);

Logic behind above function is,

$email = "techbandhus@gmail.com";
$password = "123456";

//Load a customer by email address
$customer = Mage::getModel('customer/customer')
->setWebsiteId(Mage::app()->getStore()->getWebsiteId())
->loadByEmail($email);

// if loaded! get stored password from database
$hash = $customer->getData("password_hash");

// Get last two digits separate by :";
$hashArr = explode(':', $hash);

public function validateHash($password, $hash)
{
     $hashArr = explode(':', $hash);
     switch (count($hashArr)) {
         case 1:
             return $this->hash($password) === $hash;
         case 2:
             return $this->hash($hashArr[1] . $password) === $hashArr[0];
     }
     Mage::throwException('Invalid hash.');
 }

So, it simply means that even if you have not added salt key and only MD5 text as password, login will work.

实例：

客户端 To get Customers authenticated

// Or whatever the path to your app/Mage.php happens to be ...
require_once( dirname(__FILE__).'/app/Mage.php' );

// Initialize Magento ...
Mage::app("default");

// Set the variables that we care about.
$id = 1;  // The Store ID.  Since Magento can handle multiples, this may change.
$username = 'their.email@their.domain.com';  // Their email address / username (the same thing)
$password = 'theirpassword';  // Their password.
	
try{
	$blah = Mage::getModel('customer/customer')->setWebsiteId($id)->authenticate($username, $password);
}catch( Exception $e ){
	$blah = false;
}

后台 To get Customersadmins

// Or whatever the path to your app/Mage.php happens to be ...
require_once( dirname(__FILE__).'/app/Mage.php' );

// Initialize Magento ...
Mage::app("default");

// Set the variables that we care about.
$username = 'admin';  // Or whatever username we're going with.
$password = 'password'; // Obviously, replace this with whatever the actual password you're looking to validate is.

$blah = Mage::getModel('admin/user')->authenticate($username, $password);

After either of these blocks of code, depending on whether you’re validating an admin or customer, $blah will contain TRUE for it being valid, or FALSE for it being invalid!