2 months ago

Changing the default hash comparsion method

Posted 2 months ago by Mikegk

Hi guys,

I know that's something nobody would suggest because MD5 is more than deprecated and might end up in collisions but for the current project it is necessary.

The question is, how can I get the system Login method, to NOT use it's hash algorithm on login? I would like to use MD5(request('password')) instead.

I already looked at https://laravel.com/docs/7.x/authentication#authenticating-users (Manually authentification) but there was no info about changing the hash algorithm (I do not want to change the config/hashing.php because I will use the bcrypt hashing method later).

Within the AuthenticatesUsers Trait I localized the following Method

public function login(Request $request)

        // If the class is using the ThrottlesLogins trait, we can automatically throttle
        // the login attempts for this application. We'll key this by the username and
        // the IP address of the client making these requests into this application.
        if (method_exists($this, 'hasTooManyLoginAttempts') &&
            $this->hasTooManyLoginAttempts($request)) {

            return $this->sendLockoutResponse($request);

        if ($this->attemptLogin($request)) {
            return $this->sendLoginResponse($request);

        // If the login attempt was unsuccessful we will increment the number of attempts
        // to login and redirect the user back to the login form. Of course, when this
        // user surpasses their maximum number of attempts they will get locked out.

        return $this->sendFailedLoginResponse($request);

...and it looked like this would be the corresponding part

if ($this->attemptLogin($request)) {
            return $this->sendLoginResponse($request);

...so all there is to do, is telling "attemptLogin" to compair MD5(request('password')) with users.password (and the e-mail of course), right?

Following the attemotLogin Method, I end up here:

     * Attempt to log the user into the application.
     * @param  \Illuminate\Http\Request  $request
     * @return bool
    protected function attemptLogin(Request $request)
        return $this->guard()->attempt(
            $this->credentials($request), $request->filled('remember')

...well and that's where it leads me to the Auth-Class. Neither a login nor attempt Method :(...

Would be very happy for any help.

Please sign in or create an account to participate in this conversation.