function user_pass_rehash

Same name in other branches
  1. 9 core/modules/user/user.module \user_pass_rehash()
  2. 8.9.x core/modules/user/user.module \user_pass_rehash()
  3. 10 core/modules/user/user.module \user_pass_rehash()
  4. 11.x core/modules/user/user.module \user_pass_rehash()

Creates a unique hash value for use in time-dependent per-user URLs.

This hash is normally used to build a unique and secure URL that is sent to the user by email for purposes such as resetting the user's password. In order to validate the URL, the same hash can be generated again, from the same information, and compared to the hash value from the URL. The URL normally contains both the time stamp and the numeric user ID. The login timestamp and hashed password are retrieved from the database as necessary. For a usage example, see user_cancel_url() and user_cancel_confirm().

Parameters

string $password: The hashed user account password value.

int $timestamp: A UNIX timestamp, typically REQUEST_TIME.

int $login: The UNIX timestamp of the user's last login.

int $uid: The user ID of the user account.

string $mail: The e-mail address of the user.

Return value

A string that is safe for use in URLs and SQL statements.

13 calls to user_pass_rehash()
StatisticsAdminTestCase::testDeleteUser in modules/statistics/statistics.test
Tests that accesslog reflects when a user is deleted.
UserCancelTestCase::testUserAnonymize in modules/user/user.test
Delete account and anonymize all content.
UserCancelTestCase::testUserBlock in modules/user/user.test
Disable account and keep all content.
UserCancelTestCase::testUserBlockUnpublish in modules/user/user.test
Disable account and unpublish all content.
UserCancelTestCase::testUserCancelInvalid in modules/user/user.test
Attempt invalid account cancellations.

... See full list

File

modules/user/user.module, line 2451

Code

function user_pass_rehash($password, $timestamp, $login, $uid, $mail = '') {
    // Backwards compatibility: Try to determine a $uid if one was not passed.
    // (Since $uid is a required parameter to this function, a PHP warning will
    // be generated if it's not provided, which is an indication that the calling
    // code should be updated. But the code below will try to generate a correct
    // hash in the meantime.)
    if (!isset($uid)) {
        $uids = db_query_range('SELECT uid FROM {users} WHERE pass = :password AND login = :login AND uid > 0', 0, 2, array(
            ':password' => $password,
            ':login' => $login,
        ))->fetchCol();
        // If exactly one user account matches the provided password and login
        // timestamp, proceed with that $uid.
        if (count($uids) == 1) {
            $uid = reset($uids);
        }
        else {
            return drupal_random_key();
        }
    }
    // Backwards compatibility: If the $mail parameter is not provided, load it
    // from the user object.
    if (empty($mail)) {
        $account = user_load($uid);
        $mail = $account->mail;
    }
    return drupal_hmac_base64($timestamp . $login . $uid . $mail, drupal_get_hash_salt() . $password);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.