Jump to content

password hashing 1.6 -> 1.7


Recommended Posts

Hello community,

I have just migrated a prestashop 1.6 installation to prestashop 1.7.

I noticed that some users cannot login anymore. Their credentials don't fit anymore.
A quick look into the databases reveals, that the old user's passwords are hashed by MD5 and the newly registered users use another algorhitm. 

Since hashes are what they are, there could have been no way to "convert" the passwords to the new hashing scheme, alright.

And MD5 is not secure, and thus changed, alright, I get it. But:

What is the official suggestion to tackle this?
What do other merchantes do to ensure that all the users can log in?

I cannot be the first person who migrated and encountered this problem - yet I haven't found much official information.



Edited by PatStevens
typo (see edit history)

Share this post

Link to post
Share on other sites

I see that I should have done so. I have:

 'cookie_key' => 'something new',
 'cookie_iv' => 'some other code',
 'new_cookie_key' => 'reallyLongNewCode',

These cookie_key and cookie_iv weren't changed to the values from the old installation.
In the mean time the shop is running for a few months like this  400 new users registered.

If I change cookie_key and cookie_iv to the former values, can these new 400 users still log in?

What cookie keys are used for new users since 1.7?


Share this post

Link to post
Share on other sites

In 1.7, PrestaShop does not use "cookie_key" for new passwords (only for cookies).

On version 1.7 PrestaShop offers an encryption key migration mechanism.

For password bcrypt is used to verify the password. If the verification fails, PrestaShop tries to verify the password with the old md5 and cookie_key. If the old key is valid, PrestaShop re-encrypts the password with bcrypt .

You can study how it works in /src/PrestaShop/Core/Crypto/Hashing.php  and in the getByEmail(...) function of the Customer class.

For the cookie: new_cookie_key is used to read the cookie. If the reading fails, PrestaShop tries to read the cookie with the old cookie_key. If the old key is valid, PrestaShop re-encrypts the cookie with new_cookie_key .

  • Thanks 1

Share this post

Link to post
Share on other sites

I see it in the Hashing.php, thank you.

So actually, the $staticSalt (_COOKIE_KEY_) is never used for bcrypt method.

There could have no new password been created since 1.7 using _COOKIE_KEY_.
Only passwords were created using bcrypt (which doesn't use salt anyway, so no problem).

Users that have registered under 1.7 won't even lose their session, since their cookie was encrpyted with the new_cookie_key.



Share this post

Link to post
Share on other sites

  • 1 year later...

Hello guys!

 Im migrating from prestashop 1.6 to prestashop 1.7.

Just to make this clear (im not english native), in order to keep the 1.6 passwords, i just need to change the _COOKIE_KEY_ , right?

What about _COOKIE_IV_? Do I have to change it too?

Thank you!

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...

Important Information

Cookies ensure the smooth running of our services. Using these, you accept the use of cookies. Learn More