Symfony
sponsored by SensioLabs
Menu
  • About
  • Documentation
  • Screencasts
  • Cloud
  • Certification
  • Community
  • Businesses
  • News
  • Download
  1. Home
  2. Documentation
  3. Security
  4. How to Use A Different Password Encoder Algorithm Per User
  • Documentation
  • Book
  • Reference
  • Bundles
  • Cloud
Search by Algolia

How to Use A Different Password Encoder Algorithm Per User

Edit this page

Warning: You are browsing the documentation for Symfony 5.2, which is no longer maintained.

Read the updated version of this page for Symfony 6.2 (the current stable version).

How to Use A Different Password Encoder Algorithm Per User

Usually, the same password encoder is used for all users by configuring it to apply to all instances of a specific class:

  • YAML
  • XML
  • PHP
1
2
3
4
5
6
7
# config/packages/security.yaml
security:
    # ...
    encoders:
        App\Entity\User:
            algorithm: auto
            cost: 12
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<!-- config/packages/security.xml -->
<?xml version="1.0" encoding="UTF-8" ?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:srv="http://symfony.com/schema/dic/services"
    xsi:schemaLocation="http://symfony.com/schema/dic/services
        https://symfony.com/schema/dic/services/services-1.0.xsd
        http://symfony.com/schema/dic/security
        https://symfony.com/schema/dic/security/security-1.0.xsd"
>
    <config>
        <!-- ... -->
        <encoder class="App\Entity\User"
            algorithm="auto"
            cost="12"
        />
    </config>
</srv:container>
1
2
3
4
5
6
7
8
9
10
11
12
// config/packages/security.php
use App\Entity\User;

$container->loadFromExtension('security', [
    // ...
    'encoders' => [
        User::class => [
            'algorithm' => 'auto',
            'cost' => 12,
        ],
    ],
]);

Another option is to use a "named" encoder and then select which encoder you want to use dynamically.

In the previous example, you've set the auto algorithm for App\Entity\User. This may be secure enough for a regular user, but what if you want your admins to have a stronger algorithm, for example auto with a higher cost. This can be done with named encoders:

  • YAML
  • XML
  • PHP
1
2
3
4
5
6
7
# config/packages/security.yaml
security:
    # ...
    encoders:
        harsh:
            algorithm: auto
            cost: 15
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<!-- config/packages/security.xml -->
<?xml version="1.0" encoding="UTF-8" ?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:srv="http://symfony.com/schema/dic/services"
    xsi:schemaLocation="http://symfony.com/schema/dic/services
        https://symfony.com/schema/dic/services/services-1.0.xsd
        http://symfony.com/schema/dic/security
        https://symfony.com/schema/dic/security/security-1.0.xsd"
>

    <config>
        <!-- ... -->
        <encoder class="harsh"
            algorithm="auto"
            cost="15"/>
    </config>
</srv:container>
1
2
3
4
5
6
7
8
9
10
// config/packages/security.php
$container->loadFromExtension('security', [
    // ...
    'encoders' => [
        'harsh' => [
            'algorithm' => 'auto',
            'cost'      => '15',
        ],
    ],
]);

Note

If you are running PHP 7.2+ or have the libsodium extension installed, then the recommended hashing algorithm to use is Sodium.

This creates an encoder named harsh. In order for a User instance to use it, the class must implement EncoderAwareInterface. The interface requires one method - getEncoderName() - which should return the name of the encoder to use:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
// src/Entity/User.php
namespace App\Entity;

use Symfony\Component\Security\Core\Encoder\EncoderAwareInterface;
use Symfony\Component\Security\Core\User\UserInterface;

class User implements UserInterface, EncoderAwareInterface
{
    public function getEncoderName(): ?string
    {
        if ($this->isAdmin()) {
            return 'harsh';
        }

        return null; // use the default encoder
    }
}

If you created your own password encoder implementing the PasswordEncoderInterface, you must register a service for it in order to use it as a named encoder:

  • YAML
  • XML
  • PHP
1
2
3
4
5
6
# config/packages/security.yaml
security:
    # ...
    encoders:
        app_encoder:
            id: 'App\Security\Encoder\MyCustomPasswordEncoder'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<!-- config/packages/security.xml -->
<?xml version="1.0" encoding="UTF-8" ?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:srv="http://symfony.com/schema/dic/services"
    xsi:schemaLocation="http://symfony.com/schema/dic/services
        https://symfony.com/schema/dic/services/services-1.0.xsd
        http://symfony.com/schema/dic/security
        https://symfony.com/schema/dic/security/security-1.0.xsd"
>

    <config>
        <!-- ... -->
        <encoder class="app_encoder"
            id="App\Security\Encoder\MyCustomPasswordEncoder"/>
    </config>
</srv:container>
1
2
3
4
5
6
7
8
9
10
11
12
// config/packages/security.php
// ...
use App\Security\Encoder\MyCustomPasswordEncoder;

$container->loadFromExtension('security', [
    // ...
    'encoders' => [
        'app_encoder' => [
            'id' => MyCustomPasswordEncoder::class,
        ],
    ],
]);

This creates an encoder named app_encoder from a service with the ID App\Security\Encoder\MyCustomPasswordEncoder.

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.
We stand with Ukraine.
Version:
Be safe against critical risks to your projects and businesses

Be safe against critical risks to your projects and businesses

Symfony Code Performance Profiling

Symfony Code Performance Profiling

↓ Our footer now uses the colors of the Ukrainian flag because Symfony stands with the people of Ukraine.

Avatar of Derek Lambert, a Symfony contributor

Thanks Derek Lambert (@dlambert) for being a Symfony contributor

1 commit • 46 lines changed

View all contributors that help us make Symfony

Become a Symfony contributor

Be an active part of the community and contribute ideas, code and bug fixes. Both experts and newcomers are welcome.

Learn how to contribute

Symfony™ is a trademark of Symfony SAS. All rights reserved.

  • What is Symfony?
    • Symfony at a Glance
    • Symfony Components
    • Case Studies
    • Symfony Releases
    • Security Policy
    • Logo & Screenshots
    • Trademark & Licenses
    • symfony1 Legacy
  • Learn Symfony
    • Symfony Docs
    • Symfony Book
    • Reference
    • Bundles
    • Best Practices
    • Training
    • eLearning Platform
    • Certification
  • Screencasts
    • Learn Symfony
    • Learn PHP
    • Learn JavaScript
    • Learn Drupal
    • Learn RESTful APIs
  • Community
    • SymfonyConnect
    • Support
    • How to be Involved
    • Code of Conduct
    • Events & Meetups
    • Projects using Symfony
    • Downloads Stats
    • Contributors
    • Backers
  • Blog
    • Events & Meetups
    • A week of symfony
    • Case studies
    • Cloud
    • Community
    • Conferences
    • Diversity
    • Documentation
    • Living on the edge
    • Releases
    • Security Advisories
    • SymfonyInsight
    • Twig
    • SensioLabs
  • Services
    • SensioLabs services
    • Train developers
    • Manage your project quality
    • Improve your project performance
    • Host Symfony projects
    Deployed on
Follow Symfony
Search by Algolia