CakePHP 2.5 - Authentication doesn't work

Question

Following tutorial I tried to create simple authentication, but I can't log in - always get a message "Invalid username or password, try again". I don't understand why - username and password are correct. Please, help to find mistake.

My model

// app/Model/User.php
App::uses('AppModel', 'Model');
App::uses('SimplePasswordHasher', 'Controller/Component/Auth');

class User extends AppModel {
    public $validate = array(
        'username' => array(
            'required' => array(
                'rule' => array('notEmpty'),
                'message' => 'A username is required'
            )
        ),
        'password' => array(
            'required' => array(
            'rule' => array('notEmpty'),
            'message' => 'A password is required'
            )
        )
    );

    public function beforeSave($options = array()) {
        if (isset($this->data[$this->alias]['password'])) {
            $passwordHasher = new SimplePasswordHasher();
            $this->data[$this->alias]['password'] = $passwordHasher->hash(
                $this->data[$this->alias]['password']
            );
        }
        return true;
    }
}

My controller

// app/Controller/UsersController.php
class UsersController extends AppController {

    public function beforeFilter() {
        parent::beforeFilter();
        $this->Auth->allow('logout');
    }

    public function login() {
        if ($this->request->is('post')) {
            if ($this->Auth->login()) {
                return $this->redirect($this->Auth->redirect());
            }
            $this->Session->setFlash(__('Invalid username or password, try again'));
        } 
    }

    public function logout() {
        return $this->redirect($this->Auth->logout());
    }
}

AppController.php

class AppController extends Controller {

    public $components = array(
        'Session',
        'Auth' => array(
            'loginRedirect' => array(
                'controller' => 'good',
                'action' => 'index'
            ),
            'logoutRedirect' => array(
                'controller' => 'login',
                'action' => 'index',
                'home'
            ),
            'authenticate' => array(
                'Form' => array(
                    'passwordHasher' => array(
                    'className' => 'Simple',
                    'hashType' => 'md5'
                    )
                )
            )
        )
    );

    public function beforeFilter() {
        $this->Auth->deny();
    }
}

My view (login.ctp)

<div class="users form">
<?php echo $this->Session->flash('auth'); ?>
<?php echo $this->Form->create('User'); ?>
    <fieldset>
        <legend>
            <?php echo __('Please enter your username and password'); ?>
        </legend>
        <?php echo $this->Form->input('username', array('label' => 'Username'));
        echo $this->Form->input('password', array('label' => 'Password'));
        ?>
    </fieldset>
<?php echo $this->Form->end(__('Login')); ?>
</div>

DB table "users": id,username, password (as md5)

Answer 1

1. For AuthComponent you have configured SimplePasswordHasher to use "md5" but in your beforeSave() callback you are not configuring it to use md5 (it uses sha1 by default).

2. SimplePasswordHasher will append security salt to your password before hashing, so if you have manually added records in your user table without salting them it won't work. Unsalted md5 hashing is extremely weak. Would strong recommend not using that. But if you really want to, you will have to make and use a custom password hasher class which generates md5 hashes without salt.