SymfonyWorld Online 2021 Summer Edition
June 17 – 18, 2021
SymfonyWorld Online 2021 Winter Edition
December 9 – 10, 2021
  1. Home
  2. Documentation
  3. Security
  4. How to Use A Different Password Encoder Algorithm Per User

Warning: You are browsing the documentation for Symfony 4.2, which is no longer maintained.

Read the updated version of this page for Symfony 5.3 (the current stable version).

How to Use A Different Password Encoder Algorithm Per User

4.2 version
Maintained
4.4 5.3 current 5.4 dev 6.0
Unmaintained
2.7 2.8 3.0 3.1 3.2 3.3 3.4 4.0 4.1 4.2 4.3 5.0 5.1 5.2

How to Use A Different Password Encoder Algorithm Per User

Usually, the same password encoder is used for all users by configuring it to apply to all instances of a specific class:

  • YAML
    1
2
3
4
5
6
7
    # config/packages/security.yaml
security:
    # ...
    encoders:
        App\Entity\User:
            algorithm: bcrypt
            cost: 12
  • XML
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
    <!-- config/packages/security.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:srv="http://symfony.com/schema/dic/services"
    xsi:schemaLocation="http://symfony.com/schema/dic/services
        https://symfony.com/schema/dic/services/services-1.0.xsd"
>
    <config>
        <!-- ... -->
        <encoder class="App\Entity\User"
            algorithm="bcrypt"
            cost=12
        />
    </config>
</srv:container>
  • PHP
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
    // config/packages/security.php
use App\Entity\User;

$container->loadFromExtension('security', [
    // ...
    'encoders' => [
        User::class => [
            'algorithm' => 'bcrypt',
            'cost' => 12,
        ],
    ],
]);

Another option is to use a “named” encoder and then select which encoder you want to use dynamically.

In the previous example, you’ve set the bcrypt algorithm for App\Entity\User. This may be secure enough for a regular user, but what if you want your admins to have a stronger algorithm, for example bcrypt with a higher cost. This can be done with named encoders:

  • YAML
    1
2
3
4
5
6
7
    # config/packages/security.yaml
security:
    # ...
    encoders:
        harsh:
            algorithm: bcrypt
            cost: 15
  • XML
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
    <!-- config/packages/security.xml -->
<?xml version="1.0" encoding="UTF-8" ?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:srv="http://symfony.com/schema/dic/services"
    xsi:schemaLocation="http://symfony.com/schema/dic/services
        https://symfony.com/schema/dic/services/services-1.0.xsd"
>

    <config>
        <!-- ... -->
        <encoder class="harsh"
            algorithm="bcrypt"
            cost="15"/>
    </config>
</srv:container>
  • PHP
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
    // config/packages/security.php
$container->loadFromExtension('security', [
    // ...
    'encoders' => [
        'harsh' => [
            'algorithm' => 'bcrypt',
            'cost'      => '15',
        ],
    ],
]);

Note

If you are running PHP 7.2+ or have the libsodium extension installed, then the recommended hashing algorithm to use is Argon2i.

This creates an encoder named harsh. In order for a User instance to use it, the class must implement Symfony\Component\Security\Core\Encoder\EncoderAwareInterface. The interface requires one method - getEncoderName() - which should return the name of the encoder to use:

// src/Acme/UserBundle/Entity/User.php
namespace Acme\UserBundle\Entity;

use Symfony\Component\Security\Core\Encoder\EncoderAwareInterface;
use Symfony\Component\Security\Core\User\UserInterface;

class User implements UserInterface, EncoderAwareInterface
{
    public function getEncoderName()
    {
        if ($this->isAdmin()) {
            return 'harsh';
        }

        return null; // use the default encoder
    }
}

If you created your own password encoder implementing the Symfony\Component\Security\Core\Encoder\PasswordEncoderInterface, you must register a service for it in order to use it as a named encoder:

  • YAML
    1
2
3
4
5
6
    # config/packages/security.yaml
security:
    # ...
    encoders:
        app_encoder:
            id: 'App\Security\Encoder\MyCustomPasswordEncoder'
  • XML
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
    <!-- config/packages/security.xml -->
<?xml version="1.0" encoding="UTF-8" ?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:srv="http://symfony.com/schema/dic/services"
    xsi:schemaLocation="http://symfony.com/schema/dic/services
        https://symfony.com/schema/dic/services/services-1.0.xsd"
>

    <config>
        <!-- ... -->
        <encoder class="app_encoder"
            id="App\Security\Encoder\MyCustomPasswordEncoder"/>
    </config>
</srv:container>
  • PHP
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
    // config/packages/security.php
// ...
use App\Security\Encoder\MyCustomPasswordEncoder;

$container->loadFromExtension('security', [
    // ...
    'encoders' => [
        'app_encoder' => [
            'id' => MyCustomPasswordEncoder::class,
        ],
    ],
]);

This creates an encoder named app_encoder from a service with the ID App\Security\Encoder\MyCustomPasswordEncoder.

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.