Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Jelmer's avatar
Jelmer
OP
10 years ago
Level 14

Strangest login problem

Hi nice people of Laracasts!,

I've got the strangest login problem on my Digital Ocean production server (homestead works fine, pushed to production with git).

After logging out there is no way to log back in via the login form. (These credentials do not match our records.)

But:

  1. I'm able to register a new user which logs me in automatically
  2. Password reset and click the email login -> enter new password. Logged in automatically again.

Changing the password via tinker:

$user->password = bcrypt('password');
$user->save();

results in a different passwordstring than the one I see in mysql...

This puzzles me deeply, I've been bughunting for days since this is crucial for the app. Anybody a clue?

0 likes
3 replies
bobbybouwmann's avatar

Well laravel uses the application key to generate a password hash. This password has is always unique. So when you run your above code in tinker you always get a different code. However the user can simply login with the same password. When you change your app key you won't be able to decrypt the password anymore, since it's using that key for that.

This article is based on Laravel 4, but should give you an idea on how it works: https://mnshankar.wordpress.com/2014/03/29/laravel-hash-make-explained/

1 like
ishyevandro's avatar

Hi,

you can use (PHP 5.5+)

$hash = password_hash($password, PASSWORD_BCRYPT)

and

if(password_verify($password, $hash)) echo "Equal"; else echo "Not equal";

the password stored in db has some character that show to password_verify the sequence/way(?) to crypt the password sended by client. This way is possible to try match the two password even when every password_hash generate a unique sequence.

https://laracasts.com/lessons/php-password-hashing

http://php.net/manual/en/function.password-hash.php

http://php.net/manual/en/function.password-verify.php

@edit: password_hash($something, PASSWORD_BCRYPT); use the same algorithm as bcrypt();

1 like
Jelmer's avatar
Jelmer
OP
10 years ago
Level 14

Thank you guys...

It had something to do with the password fields and not with hashing.

I've found a method in my User class which interfered with the password generation: a system I built to leave user password fields empty to leave their passwords unchanged when only changing user roles or other parameters.

Playing with authentication can be complicated business...

Please or to participate in this conversation.