After an upgrade to php7, the BCryptPasswordEncoder throws the following error, e.g. on registration when using FOSUserBundle standard registration page:
"Use of the 'salt' option to password_hash is deprecated in C:\xampp\htdocs\ascentary \vendor\symfony\symfony\src\Symfony\Component\Security\Core\Encoder\BCryptPasswordEncoder.php line 81 " at C:\xampp\htdocs\testproject\vendor\behat\behat\src\Behat\Testwork\Call\Handler\RuntimeCallHandler."
I've tracked down this issue, and the problem is the FOS UserManager class, that calls:
/**
* {@inheritDoc}
*/
public function updatePassword(UserInterface $user)
{
if (0 !== strlen($password = $user->getPlainPassword())) {
$encoder = $this->getEncoder($user);
$user->setPassword($encoder->encodePassword($password, $user->getSalt()));
$user->eraseCredentials();
}
}
Passing here $user->getSalt() throws the error, because at php7, you are not allowed anymore to pass a custom salt to bcrypt encoding / password_hash function. In addition, I see a problem in the base fos user entity, because in its constructor, the salt is set like:
$this->salt = base_convert(sha1(uniqid(mt_rand(), true)), 16, 36);
Questions:
(1) How to solve the error I posted above? Maybe overriding the UserManager, or is there a solution provided by fos?
(2) How to properly safe the salt, that is automatically being generated?
(3) Are there any other updates required, like updating the ircmaxell lib?
