General question about Password Hash Issues and deployment

[ohthanks]

Hellllooo, 

This week I was deploying a site I have been working on locally on my macbook / lion install to my ubuntu dev server and realized I couldn't login to the admin on the remote server.

After spending an evening on it I think I narrowed it down to the fact that the install originated on my stock lion php build (version 5.3.13) that did not have mcrypt installed at the time and I was deploying to a 5.3.3 version on the remote server. The server was throwing "unable to generate hash" errors and I eventually resolved it by having "supportsBlowfish()" on line 220 of /wire/core/Password.php return false as per one of Ryans suggestions in a thread. 

So, my actual question is, it seems like PW 2.3 hashes are incompatible with earlier versions of php, what is the best practice for developing when you know (or don't know) if you are ending up on a version of php that will be incompatible with the passwords saved in the database? Do you plan to just reset the database passwords once you are setup on the production box or do you use an older version of PW in the event that you know blowfish support won't be available? Or just do what I did and force the install to revert back to a previous hash method? 

Just curious if anyone has had these issues or your thoughts on it. 

Thanks!

[ohthanks]

After reading a few more threads relating to this it seems like the obvious answer is to just upgrade php versions on my dev and local servers, which has worked. I think having 5.3.3 was the primary source of my issues. 

[ryan]

You are right, the best bet is to make sure your PHP versions are up to date. The current version of ProcessWire is the last version that will work with PHP versions prior to 5.3.8, so it won't be an issue for much longer. 

[obiuno]

Dear Ryan

I am a new user in processwire but after almost 2 weeks I am messing around with it, I must admit that I am really impressed. I am not a so called "developer" even though for years I develop and deploy few wordpress and mostly Drupal Sites (some big and some for personal or mid business use). Sorry for so may words .... I developed my self a mockup site for one o my clients in my MAMP and I tried to transfer it to my VPS, which runs 5.3.2-1 ubuntu 4.21, but in vain. I faced my self this hash password problem. I checked all of the threads in the forum and your suggestions about it and so I finally luckily found a solution and I present it here just For the rest of the new users to be aware!

I solved it out by just first installing the forgot password module and then by changing the code in the line 222 of password.php (PHP_VERSION, '5.3.0') to (PHP_VERSION, '5.4.0')

I really do not know if I did something correct but obviously this worked for me and in a no time .... after  logging back in I reset my initial password created a new one and here I am.. http://www.fifart.eu/apps/pkoptics/ (sorry it is in greek and just a mockup but I really like the fact that I made it with no installing dozens of modules (drupal) and with just a few lines of code which I found into the api and from several posts of your kind Forum's "Archibishops")..

Thanks again

[ryan]

Obiuno, it sounds like your PHP version may have had blowfish support excluded, so changing the php version to 5.4.0 forced it to use the older hashing mechanism. It would be more secure to use the new one, but it it doesn't work in your case, I'm glad you found a way around it. Thanks for outlining the process.