How to Use A Different Password Encoder Algorithm Per User
Edit this pageWarning: You are browsing the documentation for Symfony 4.2, which is no longer maintained.
Read the updated version of this page for Symfony 6.1 (the current stable version).
How to Use A Different Password Encoder Algorithm Per User
Usually, the same password encoder is used for all users by configuring it to apply to all instances of a specific class:
- YAML
- XML
- PHP
1 2 3 4 5 6 7
# config/packages/security.yaml
security:
# ...
encoders:
App\Entity\User:
algorithm: bcrypt
cost: 12
Another option is to use a "named" encoder and then select which encoder you want to use dynamically.
In the previous example, you've set the bcrypt
algorithm for App\Entity\User
.
This may be secure enough for a regular user, but what if you want your admins
to have a stronger algorithm, for example bcrypt
with a higher cost. This can
be done with named encoders:
- YAML
- XML
- PHP
1 2 3 4 5 6 7
# config/packages/security.yaml
security:
# ...
encoders:
harsh:
algorithm: bcrypt
cost: 15
Note
If you are running PHP 7.2+ or have the libsodium extension installed, then the recommended hashing algorithm to use is Argon2i.
This creates an encoder named harsh
. In order for a User
instance
to use it, the class must implement
EncoderAwareInterface.
The interface requires one method - getEncoderName()
- which should return
the name of the encoder to use:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
// src/Acme/UserBundle/Entity/User.php
namespace Acme\UserBundle\Entity;
use Symfony\Component\Security\Core\Encoder\EncoderAwareInterface;
use Symfony\Component\Security\Core\User\UserInterface;
class User implements UserInterface, EncoderAwareInterface
{
public function getEncoderName()
{
if ($this->isAdmin()) {
return 'harsh';
}
return null; // use the default encoder
}
}
If you created your own password encoder implementing the PasswordEncoderInterface, you must register a service for it in order to use it as a named encoder:
- YAML
- XML
- PHP
1 2 3 4 5 6
# config/packages/security.yaml
security:
# ...
encoders:
app_encoder:
id: 'App\Security\Encoder\MyCustomPasswordEncoder'
This creates an encoder named app_encoder
from a service with the ID
App\Security\Encoder\MyCustomPasswordEncoder
.