Md5 to bycrpt

Check here: https://laracasts.com/discuss/channels/laravel/md5-to-laravel-passwords

One approach (assuming you are using Laravel's auth scaffolding) would be to add an 'authenticated()` method to LoginController:

    protected function authenticated(Request $request, $user)
    {
        $user->password = bcrypt($request->password);
        $user->save();
        return redirect()->intended($this->redirectPath());
    }

This would override the empty method of the same name in the AuthenticatesUsers trait.

@mikefolsom do i have to change the database or any other change for this\

@ershubham Just make sure the password column is of appropriate length.

When building the database schema for the App\User model, make sure the password column is at least 60 characters in length. Maintaining the default string column length of 255 characters would be a good choice.

Basically, that method only fires when the user has been authenticated, so you know the password sent in the request was correct.

But looking back on my response, I realize that I did leave out some considerations. :) True, this will update the user's password, but not the authentication logic. For awhile, at least, you will need to maintain two sets of parallel login logic: one for the old md5 passwords, and one for the new bcrypted passwords.

One way I have done this in the past is to rename the "old" password column to, for example, password_md5 and add a new password column for the bcrypted version.

When a user attempts to login, check to see if they have an md5 password stored. If so, attempt to authenticate them via md5. if successful, then use the clear text password from the request, bcrypt it, and save it to the password column, then delete their md5 version. If they don't have an md5 password in the database, then attempt to authenticate them via standard Laravel method, as you can assume they have been 'upgraded' already.

So then you might end up with something like this:

    protected function authenticated(Request $request, $user)
    {
        $user->password = bcrypt($request->password);
        $user->password_md5 = ''; // or null, if the column is nullable
        $user->save();
        return redirect()->intended($this->redirectPath());
    }

I ended up writing a LegacyAuth class in my case to aid in one transition from a SHA-based system. Let me know if you run into snags.

This is my personal solution, using Laravel 5.5. I've overwritten the default login method inside the LoginController.php.

<?php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\AuthenticatesUsers;

use Illuminate\Http\Request;
use App\User;
use Hash;

class LoginController extends Controller
{
    /*
    |--------------------------------------------------------------------------
    | Login Controller
    |--------------------------------------------------------------------------
    |
    | This controller handles authenticating users for the application and
    | redirecting them to your home screen. The controller uses a trait
    | to conveniently provide its functionality to your applications.
    |
    */

    use AuthenticatesUsers;

    /**
     * Where to redirect users after login.
     *
     * @var string
     */
    protected $redirectTo = '/home';

    /**
     * Create a new controller instance.
     *
     * @return void
     */
    public function __construct()
    {
        $this->middleware('guest')->except('logout');
    }

    
    /**
     * Overwrite default login method in order to allow user to use old MD5 Hash passwords
     * and migrate it without asking him any change
     */
    public function login(Request $request)
    {
        $this->validateLogin($request);

        // If the class is using the ThrottlesLogins trait, we can automatically throttle
        // the login attempts for this application. We'll key this by the username and
        // the IP address of the client making these requests into this application.
        if ($this->hasTooManyLoginAttempts($request)) {
            $this->fireLockoutEvent($request);

            return $this->sendLockoutResponse($request);
        }

        // check against old md5 password, if correct, create bcrypted updated pswd
        $user = User::where('email', $request->email)->first();

        if( $user && $user->password == md5($request->password) )
        {
            $user->password = Hash::make($request->password);
            $user->save();
        }


        if ($this->attemptLogin($request)) {
            return $this->sendLoginResponse($request);
        }

        // If the login attempt was unsuccessful we will increment the number of attempts
        // to login and redirect the user back to the login form. Of course, when this
        // user surpasses their maximum number of attempts they will get locked out.
        $this->incrementLoginAttempts($request);

        return $this->sendFailedLoginResponse($request);
    }
}

Note: My project auth system was inizialized with php artisan make:auth command

@hatejam I also face the problem to change the md5 password to bcrypt. Your solution is awesome. But I have a problem, In my database field name for email and password is different. That is usrEmail and usrPassword. Here is the link for discussion. https://laracasts.com/discuss/channels/laravel/how-can-we-use-our-own-database-fields-for-auth-login-in-laravel