cannot verify hashed password using yii's passwordhelper

Question

Not sure what's wrong but it says that my email/password is incorrect. This only happens when my password is hashed. Just looking for a simple password hashing, I don't need something complicated.

in my UserIdentity. I've tried couple ways of doing it, none of them works.

//...stuff here

    $loginSuccess = false;
    if ($user->hashed === 'Y') {
    $loginSuccess = (md5($this->password) === $user->password);
    //$hash= CPasswordHelper::hashPassword($this->password);
    //  if(CPasswordHelper::verifyPassword($user->password, $hash))
    //      $loginSuccess=true;
            } else {
            $loginSuccess = ($this->password === $user->password);
        }
            // Login failure
        if($loginSuccess==false) {
//...stuff here

In my controller:

$model=new LoginForm;
        // if it is ajax validation request
        if(Yii::app()->request->isAjaxRequest)
        {
            if(isset($_POST['LoginForm']))
            {
                $model->attributes=$_POST['LoginForm'];
                $password = $_POST['LoginForm']['password'];
                $hash = CPasswordHelper::hashPassword($password);

                if (CPasswordHelper::verifyPassword($model->password, $hash))
                {
                    if($model->validatePassword($password) && $model->login())
                    { //do stuff if okay

upon joining the site:

if(isset($_POST['User']))
        {
            $model->attributes=$_POST['User'];
            $hash = CPasswordHelper::hashPassword($_POST['User']['password']);
            $model->password = $hash;

            if($model->validate())

Answer 1

I believe I've found a flaw in CPasswordHelper::verifyPassword(). I don't have the time to check it thoroughly so I just added this line to the beginning of the function that bypasses the rest of it:

/* this library's ::same class seems not to be working */
if($password == $hash)               
  return true; 
else
  return false;

I don't find a reason why $test=crypt($password,$hash) is needed there but somebody with a deep knowledge of encrypting will surely have an answer I can't provide.

So a simple string comparison does a simpler trick that allows me to go on until I can sit down and do my homework.Can anyone out there help find the truth, please?

Answer 2

Check the first two commented lines in your code/question

  $hash= CPasswordHelper::hashPassword($this->password); and
  if(CPasswordHelper::verifyPassword($user->password, $hash))

Here, you are hashing the user input password and you are verifying the hash string with hash string. This is the simple mistake. In case of verifyPassword, you have to verify the user input password with hash string.

hashPassword generate a secure hash from the pair of user password and a random salt. That is what you are storing in the database. In your code $user->password returns the hash of the user password.

But verifyPassword verifies the password which is entered in login page with the hash which you have stored in database. Now check the coding...

When creating the user

 $passHash=CPasswordHelper::hashPassword(trim($_POST['LoginForm']['password']));
 //Store this hash in Database

When processing the login

            //user input
            $pass='pa123456'; 

            //which is comming from db. In your case $user->password
            $hash='$2a$13$35cIyyLPznkG8xK.d0NbW.hBGl5fWDYaleZAN4cYECoNZ1C6BLaA6'; 

            //verify password
            if (CPasswordHelper::verifyPassword($pass, $hash))
            {
                echo "good";
            }
            else
            {
                echo "Bad";
            }