We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

Simple Auth Problem [SOLVED]

Let me preface this with saying, "I really feel stupid asking this question!" But I am stumped and would like some feed back on what the hell I am doing wrong. So here is my simple authentication method :

    public function startSessionAction()

            $data = $this->request;

            $username = $data->getPost('username');
            $password = $data->getPost('password');

            $user = Users::findFirstByUsername($username);


                if($this->security->checkHash($password, $user->password)){
                    $this->persistent->name = $user->name;
                    $this->flashSession->success('Welcome ' . $this->persistent->name);
                    return $this->response->redirect('user/index');
                $this->flashSession->error("The username you provided is not in our system.");
                return $this->response->redirect('user/login');

            $this->flashSession->error("Password does match our records for " . $user->username . " .");

        return $this->response->redirect('user/login');


Full controller can be viewed here : https://gist.github.com/unisys12/8941453

So, the problem I am having is that the password is failing to match. I feel the reason has something to do with the 'checkHash()' method, as outlined in the Security docs here(http://docs.phalcon.io/en/latest/reference/security.html#password-hashing) and the API here (http://docs.phalcon.io/en/latest/api/Phalcon_Security.html). The password was saved from a reg form and after assigning the password field to a var, that was then passed to method which, of course, created the hashed password stored in the database.

So. What very basic, fundamental thing am I over looking. I know I have a very bad habit of over thinking things, so... just need someone to bring me back down to earth.

edited Feb '14

hi, di you use:

$user->password = $this->security->hash($password);

for encrypting user password ?

edited Feb '14

Yes... for clarity in how the password gets into the database, here is my createAction() from the UserController :

public function createAction()


            $request = $this->request;

            $name = $request->getPost('name');
            $email = $request->getPost('email');
            $username = $request->getPost('username');
            $password = $request->getPost('password');
            $password_confirm = $request->getPost('password_confirm');

            if($password != $password_confirm){
                $this->flashSession->error('Passwords do not match');
                return false;

            $user = new Users();
            $user->name = $name;
            $user->email= $email;
            $user->username = $username;
            $user->password = $this->security->hash($password);
            $user->created_at = new Phalcon\Db\RawValue('now()');
            $user->updated_at = new Phalcon\Db\RawValue('now()');

            if($user->save() == false){
                foreach($user->getMessages() as $message){
                    $this->flashSession->error((string) $message);
            } else {
                Tag::setDefault('username', $user->username);
                $msg = $this->flashSession->success('Thanks for singing up. Please log in to get started.');
                return $this->response->redirect('/blog-local/');





I ended up doing md5(password), and that did the trick.

@mullermx - Although I am only doing this project for myself, it will be eventually be hosted. So having to use md5 is not going to cut it. I don't know C, but I can read. So it's about time I start digging in the core to see what is going on inside 'hash()' and 'checkHash'; I am not giving up and will keep this updated.

Figured out what the problem was. And yes, it was stupid. Well maybe not too stupid, but stupid enough. The problem was with the users table. When I created it, I accidently set the character limit for the password column to 50 and not 60, which is the minimum allowed for crypt passwords. DOH! Well, I guess one good thing came out of this: I have rewritten this authentication method so many times and in so many different ways... I have a far better understanding of the mechanics of an authentication system than ever before. Well, I will take my learning however I can get it.


Hahaha, the reason I can laugh at this is because the exact same thing happened to me -____- I understand the frustrations involved, but I decided to go with the new password hashing API in PHP5.5, and the recommended practice is to use a 255 char limit, so that in the event of bcrypt not being the default hashing function, the column would have enough space to accept pretty much any others.

edited Mar '14

For the record, this was the package I used - http://jeremykendall.net/2014/01/04/php-password-hashing-a-dead-simple-implementation buddy of mines project and wanted to check it out. Offers backwards compatibility and stuff. Give it a quick read.