Changing Password Hash for CakePHP Auth

 Jul 5, 2013

Sometimes you need to use a non-standard password hashing algorithm with the CakePHP Auth component. In the 2.3.x branch, you need to write a custom Authenticate class to override the _password method.

We were upgrading an old CakePHP 1.3.x app to the 2.3.x branch and needed to support SHA256 hashing for the passwords. As we had the salt from the original 1.3 app we were all set to continue using CakePHP’s Auth component, but needed it to hash the passwords with the right algorithm.

In CakePHP 1.3 you could set the hash for the Auth component by calling the setHash method of the Security class during the beforeFilter


But in CakePHP 2.3.x its slightly different as you configure the Auth component in the components array, not in the beforeFilter. To change the hashing algorithm, you need to override the _password method in the Authenticate class.

We inherited from the FormAuthenticate class (so all the other methods would stay the same) and overrode the _password method to use the SHA256 hash.


App::uses('FormAuthenticate', 'Controller/Component/Auth');

class Sha2Authenticate extends FormAuthenticate
     * override the password method in the FormAuthenticate class
     * to use SHA256 which is compatible with the current CRM data
    public function _password($password)
        return Security::hash($password, 'sha256', true);


I’ve heard that this won’t be needed in CakePHP 2.4.x as there will be new password hashing classes that will handle this in a much simpler way. However, sadly I haven’t had time to properly play with 2.4 yet…. which is a very big to-do on my list as always we need to keep track of the changes.