- Download the latest Ion Auth 3 revision
- Overwrite "libraries/ion_auth.php" and "models/ion_auth_model.php" with the new versions.
- Overwrite "language/*" with the new versions.
- Overwrite "controllers/Auth.php" with the new version. Make sure to integrate this with any custom changes you already have in your previous version.
- Check "config/ion_auth.php" for evolution.
This is a bit more complex, depending on your configuration.
- Perform an upgrade as described above
- Check
config/ion_auth.php, some options were modified (see list in relevant chapter below) - Run the SQL migration file according to your environment:
- MySQL: sql/migrating_from_ionauth2/migrate.sql
- postgreSQL: sql/migrating_from_ionauth2/migrate.postgre.sql
- SQL Server: sql/migrating_from_ionauth2/migrate.mssql.sql
- If you were not using the SHA1 hash method, you may also drop the
saltcolumn from theuserstable in your database - If you were using the SHA1 hash method, please check the relevant chapter below
- Check your code for functions modification/removal (see list in relevant chapter below)
- Ensure your database connection is loaded before loading Ion Auth.
The config file has changed:
- For the Hash Method part:
hash_methodnow only acceptsbcryptor the newerargon2(PHP 7.2) (sha1is no longer supported for security considerations, see note below)default_roundsis modified tobcrypt_default_costrandom_rounds,min_rounds,max_roundsandsalt_prefixare removed as they don't serve any purpose anymoreargon2_default_paramsis added for the Argon2 hash methodbcrypt_admin_costandargon2_admin_paramsare added to tweak the hash parameters for users in the admin group
- For the Authentication options part:
max_password_lengthis removed as it is not good practice to limit password's length
- For the Cookie options part:
random_identity_cookie_nameis removed as it doesn't serve any purpose anymore
- The Forgot Password Complete Email Template part is completely removed because
the feature doesn't exists anymore due to security issue.
email_forgot_password_completeis removed
- The Salt options part is completely removed due to the removing of the
SHA1 hash method
salt_lengthandstore_saltare removed
Only public functions are listed.
Ion_auth_model::hash_password_db($id, $password, $use_sha1_override = FALSE)
/* ... is updated to... */
Ion_auth_model::verify_password($password, $hash_password_db, $identity = NULL)Ion_auth_model::clear_forgotten_password_code($code)
/* ... is updated to... */
Ion_auth_model::clear_forgotten_password_code($identity)Ion_auth_model::hash_password($password, $salt = FALSE, $use_sha1_override = FALSE)
/* ... is updated to... */
Ion_auth_model::hash_password($password, $identity = NULL)Ion_auth_model::remember_user($id)
/* ... is updated to... */
Ion_auth_model::remember_user($identity)Ion_auth_model::forgotten_password_complete($code, $salt = FALSE) // old feature no longer available due to security issue
Ion_auth_model::hash_code($password) // No longer needed
Ion_auth_model::is_time_locked_out($identity, $ip_address = NULL) // Was deprecated, use is_max_login_attempts_exceeded()
Ion_auth_model::salt() // No longer neededIon_auth_model::db()
Ion_auth_model::clear_remember_code($identity)
Ion_auth_model::get_user_by_forgotten_password_code($user_code)
Ion_auth_model::get_user_id_from_identity($identity = '')
Ion_auth_model::rehash_password_if_needed($hash, $identity, $password)If you were using the sha1 hash method in Ion Auth 2, this method is no longer supported.
The SHA1 is known to be insecure for password hashing, and should not be used.
However, fear not! The transition should actually be pretty smooth for you and your users. After upgrading to Ion Auth 3, any user logging in your application will be migrated to the new hashing method. This is completely transparent.
You can monitor it by looking in your database at the password field. Any field not starting with the dollar '$' sign is an old SHA1-based password.
After a while, you may want to invalidate any old user still having a SHA1-based hashed password.