You're not actually using the $password
parameter in your validatePassword function. Note: $password
should be the plain text password entered and the second parameter should contain the hashed version you previously stored. Try this:
public function validatePassword($password){
return password_verify($password, self::model()->password);
}
Also, it's best to not handle salting yourself. Just use the PASSWORD_DEFAULT
option and do not salt. PHP will handle it. You can use password_needs_rehash()
to check if you need to rehash the password if a PHP version upgrade changes the default.