Search by Algolia
Back to symfony.com

How to Use A Different Password Encoder Algorithm Per User

Edit this page

Warning: You are browsing the documentation for Symfony 4.2, which is no longer maintained.

Read the updated version of this page for Symfony 6.1 (the current stable version).

How to Use A Different Password Encoder Algorithm Per User

Usually, the same password encoder is used for all users by configuring it to apply to all instances of a specific class:

  • YAML
  • XML
  • PHP 
1
2
3
4
5
6
7
# config/packages/security.yaml
security:
    # ...
    encoders:
        App\Entity\User:
            algorithm: bcrypt
            cost: 12

Another option is to use a "named" encoder and then select which encoder you want to use dynamically.

In the previous example, you've set the bcrypt algorithm for App\Entity\User. This may be secure enough for a regular user, but what if you want your admins to have a stronger algorithm, for example bcrypt with a higher cost. This can be done with named encoders:

  • YAML
  • XML
  • PHP 
1
2
3
4
5
6
7
# config/packages/security.yaml
security:
    # ...
    encoders:
        harsh:
            algorithm: bcrypt
            cost: 15

Note

If you are running PHP 7.2+ or have the libsodium extension installed, then the recommended hashing algorithm to use is Argon2i.

This creates an encoder named harsh. In order for a User instance to use it, the class must implement EncoderAwareInterface. The interface requires one method - getEncoderName() - which should return the name of the encoder to use:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
// src/Acme/UserBundle/Entity/User.php
namespace Acme\UserBundle\Entity;

use Symfony\Component\Security\Core\Encoder\EncoderAwareInterface;
use Symfony\Component\Security\Core\User\UserInterface;

class User implements UserInterface, EncoderAwareInterface
{
    public function getEncoderName()
    {
        if ($this->isAdmin()) {
            return 'harsh';
        }

        return null; // use the default encoder
    }
}

If you created your own password encoder implementing the PasswordEncoderInterface, you must register a service for it in order to use it as a named encoder:

  • YAML
  • XML
  • PHP 
1
2
3
4
5
6
# config/packages/security.yaml
security:
    # ...
    encoders:
        app_encoder:
            id: 'App\Security\Encoder\MyCustomPasswordEncoder'

This creates an encoder named app_encoder from a service with the ID App\Security\Encoder\MyCustomPasswordEncoder.

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.
Bootstrap your project in minutes

Bootstrap your project in minutes

Check Code Performance in Dev, Test, Staging & Production

Check Code Performance in Dev, Test, Staging & Production

Be trained by SensioLabs experts (2 to 6 day sessions -- French or English).

Be trained by SensioLabs experts (2 to 6 day sessions -- French or English).