Search by Algolia
Back to symfony.com
50% discount in conference replays
2020 and 2021 events
In English, French, German, Polish and Spanish

How to Choose the Password Encoder Algorithm Dynamically

Edit this page

Warning: You are browsing the documentation for Symfony 2.8, which is no longer maintained.

Read the updated version of this page for Symfony 6.0 (the current stable version).

How to Choose the Password Encoder Algorithm Dynamically

Usually, the same password encoder is used for all users by configuring it to apply to all instances of a specific class:

  • YAML
  • XML
  • PHP 
1
2
3
4
5
# app/config/security.yml
security:
    # ...
    encoders:
        Symfony\Component\Security\Core\User\User: sha512

Another option is to use a "named" encoder and then select which encoder you want to use dynamically.

In the previous example, you've set the sha512 algorithm for Acme\UserBundle\Entity\User. This may be secure enough for a regular user, but what if you want your admins to have a stronger algorithm, for example bcrypt. This can be done with named encoders:

  • YAML
  • XML
  • PHP 
1
2
3
4
5
6
7
# app/config/security.yml
security:
    # ...
    encoders:
        harsh:
            algorithm: bcrypt
            cost: 15

This creates an encoder named harsh. In order for a User instance to use it, the class must implement EncoderAwareInterface. The interface requires one method - getEncoderName() - which should return the name of the encoder to use:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
// src/Acme/UserBundle/Entity/User.php
namespace Acme\UserBundle\Entity;

use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\Encoder\EncoderAwareInterface;

class User implements UserInterface, EncoderAwareInterface
{
    public function getEncoderName()
    {
        if ($this->isAdmin()) {
            return 'harsh';
        }

        return null; // use the default encoder
    }
}

If you created your own password encoder implementing the PasswordEncoderInterface, you must register a service for it in order to use it as a named encoder:

  • YAML
  • XML
  • PHP 
1
2
3
4
5
6
# app/config/security.yml
security:
    # ...
    encoders:
        app_encoder:
            id: 'app.password_encoder_service'

This creates an encoder named app_encoder from a service named app.password_encoder_service.

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.
Go from dev to staging and production and back, in minutes

Go from dev to staging and production and back, in minutes

Measure & Improve Symfony Code Performance

Measure & Improve Symfony Code Performance

Code consumes server resources. Blackfire tells you how

Code consumes server resources. Blackfire tells you how