Amsterdam Nov. 21-23, 2019
Tunis (Tunisia) April 27, 2019
São Paulo (Brazil) May 16-17, 2019
Warszawa (Poland) June 13-14, 2019
London (UK) Sep. 13, 2019
Berlin (Germany) Sep. 24-27, 2019
New York (USA) Q4, 2019
  1. Home
  2. Documentation
  3. Cookbook
  4. Security
  5. How to Choose the Password Encoder Algorithm Dynamically
WARNING: You are browsing the documentation for Symfony 2.5 which is not maintained anymore. Consider upgrading your projects to Symfony 4.2.

How to Choose the Password Encoder Algorithm Dynamically

2.5 version
Unmaintained
2.6

How to Choose the Password Encoder Algorithm Dynamically

New in version 2.5: Named encoders were introduced in Symfony 2.5.

Usually, the same password encoder is used for all users by configuring it to apply to all instances of a specific class:

  • YAML
    1
2
3
4
5
    # app/config/security.yml
security:
    # ...
    encoders:
        Symfony\Component\Security\Core\User\User: sha512
  • XML
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
    <!-- app/config/security.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:srv="http://symfony.com/schema/dic/services"
    xsi:schemaLocation="http://symfony.com/schema/dic/services
        http://symfony.com/schema/dic/services/services-1.0.xsd"
>
    <config>
        <!-- ... -->
        <encoder class="Symfony\Component\Security\Core\User\User"
            algorithm="sha512"
        />
    </config>
</srv:container>
  • PHP
    1
2
3
4
5
6
7
8
9
    // app/config/security.php
$container->loadFromExtension('security', array(
    // ...
    'encoders' => array(
        'Symfony\Component\Security\Core\User\User' => array(
            'algorithm' => 'sha512',
        ),
    ),
));

Another option is to use a "named" encoder and then select which encoder you want to use dynamically.

In the previous example, you've set the sha512 algorithm for Acme\UserBundle\Entity\User. This may be secure enough for a regular user, but what if you want your admins to have a stronger algorithm, for example bcrypt. This can be done with named encoders:

  • YAML
    1
2
3
4
5
6
7
    # app/config/security.yml
security:
    # ...
    encoders:
        harsh:
            algorithm: bcrypt
            cost: 15
  • XML
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
    <!-- app/config/security.xml -->
<?xml version="1.0" encoding="UTF-8" ?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:srv="http://symfony.com/schema/dic/services"
    xsi:schemaLocation="http://symfony.com/schema/dic/services
        http://symfony.com/schema/dic/services/services-1.0.xsd"
>

    <config>
        <!-- ... -->
        <encoder class="harsh"
            algorithm="bcrypt"
            cost="15" />
    </config>
</srv:container>
  • PHP
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
    // app/config/security.php
$container->loadFromExtension('security', array(
    // ...
    'encoders' => array(
        'harsh' => array(
            'algorithm' => 'bcrypt',
            'cost'      => '15'
        ),
    ),
));

This creates an encoder named harsh. In order for a User instance to use it, the class must implement EncoderAwareInterface. The interface requires one method - getEncoderName - which should return the name of the encoder to use:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
// src/Acme/UserBundle/Entity/User.php
namespace Acme\UserBundle\Entity;

use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\Encoder\EncoderAwareInterface;

class User implements UserInterface, EncoderAwareInterface
{
    public function getEncoderName()
    {
        if ($this->isAdmin()) {
            return 'harsh';
        }

        return null; // use the default encoder
    }
}

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.