How to use MD5 with the AuthComponent in CakePHP 3.9

Hello Guys. I am working on migrating a web application developed using CakePHP 1.2 I am migrating it to version 3.9.4. The user passwords in the database are all hashed using MD5 but version 3.9.4 uses bcrypt as the default hasher. I want to use MD5 so I can authenticate the users using MD5. Please guide me how can I do this. I have gone through this article and used the LegacyPasswordHasher class as guided in the article but it is not working. Here is how I configured the AuthComponent in AppController.

$this->loadComponent('Auth', [
            'authenticate' => ['Form' => [
                'passwordHasher' => [
                    'className' => 'Legacy',
                'fields' => [
                    'username' => 'email',
                    'password' => 'password',
            'loginAction' => [
                'controller' => 'Users',
                'action' => 'login',

And here is my LegcayPasswordHasher class:


namespace App\Auth;

use Cake\Auth\AbstractPasswordHasher;

class LegacyPasswordHasher extends AbstractPasswordHasher {
    public function hash($password) {
        return md5($password);

    public function check($password, $hashedPassword) {
        $userPassword = md5($password);
        return $userPassword === $hashedPassword;

Looking forward to your guidance. Thanks in advance.

Hey @FaISaLBliNK,
Have you tried this:

public function check($password, $hashedPassword)
return md5($password) === $hashedPassword;

In the LegacyPasswordHasher class the check() function was defined the way you mentioned … then I’ve changed it to this

public function check($password, $hashedPassword) {
        $userPassword = md5($password);
        return $userPassword === $hashedPassword;

Also tried the Fallback class as well and added it to the config for the Auth component in the AppController but it did not work … This was the login function with the Fallback class.

public function login()
    if ($this->request->is('post')) {
        $user = $this->Auth->identify();
        if ($user) {
            if ($this->Auth->authenticationProvider()->needsPasswordRehash()) {
                $user = $this->Users->get($this->Auth->user('id'));
                $user->password = $this->request->getData('password');
            return $this->redirect($this->Auth->redirectUrl());

It did not work because $this->Auth->identify() returns false

This post was flagged by the community and is temporarily hidden.

I will pastebin it to you … that way it will be more readable. Give me few minutes.

If I send it on github … won’t that be convenient ?

yes it’s more convenient share your git repo.

here is the repo

can you add your export db in git?

Sure sending you the .sql file

Here you go

@hala0409 were you able to import the db dump ?

I hope you didn’t send a random person on the internet your actual user database with actual usernames and actual hashed passwords…

it is a demo database.

1 Like

what is your meaning of DB dump?
and what is in the SQL file …

@hala0409 this is a .sql file you import it in a database. This file contains demo data for testing with the application … this is the db export you asked for.

@FaISaLBliNK but it was not imported this gives me an error of import time and i was also add a screenshot have you check in previous comment its not import in my phpmyadmin but i have also implement in one my project in this case i used a md5 here working good but in this project i use md5() in my UserController at a add and edit time and decrypt password at a login page same method md5() function.

Have used your GIT repo and created the schools database with users table.
I added a user record directly into this mysql database with an md5() password.
The repo works as expected. The software calls your legacy password hasher and checks the password against md5() during the login function. Had to change the redirect in the login function as your repo didn’t include a posts controller. But this has no bearing on password hashing.
Didn’t test setting a password as no register function in UsersController but don’t see why it shouldn’t work.
EDIT: Wrote a quick register function in your users controller. And the set password method in your LegancyPasswordHasher was called to create an md5() password.
So it all works as expected.
Did you create the SALT in the config file?