diff --git a/core/modules/user/tests/src/Kernel/UserPassRehashTest.php b/core/modules/user/tests/src/Kernel/UserPassRehashTest.php new file mode 100644 index 00000000000..6f4bb85e6f8 --- /dev/null +++ b/core/modules/user/tests/src/Kernel/UserPassRehashTest.php @@ -0,0 +1,46 @@ +installEntitySchema('user'); + + $timestamp = \Drupal::time()->getRequestTime(); + + $user_a = $this->createUser([], NULL, FALSE, ['uid' => 12, 'mail' => '3user@example.com', 'login' => $timestamp - 1000]); + $user_b = $this->createUser([], NULL, FALSE, ['uid' => 123, 'mail' => 'user@example.com', 'login' => $timestamp - 1000]); + + // Unset passwords after the users are created in order to avoid + // (different) password hashes being generated for the empty strings. + $user_a->setPassword(''); + $user_b->setPassword(''); + + $hash_a = user_pass_rehash($user_a, $timestamp); + $hash_b = user_pass_rehash($user_b, $timestamp); + + $this->assertNotEquals($hash_a, $hash_b); + } + +} diff --git a/core/modules/user/user.module b/core/modules/user/user.module index 171593ebed3..3acbfc83f1d 100644 --- a/core/modules/user/user.module +++ b/core/modules/user/user.module @@ -580,9 +580,9 @@ function user_cancel_url(UserInterface $account, $options = []) { */ function user_pass_rehash(UserInterface $account, $timestamp) { $data = $timestamp; - $data .= $account->getLastLoginTime(); - $data .= $account->id(); - $data .= $account->getEmail(); + $data .= ':' . $account->getLastLoginTime(); + $data .= ':' . $account->id(); + $data .= ':' . $account->getEmail(); return Crypt::hmacBase64($data, Settings::getHashSalt() . $account->getPassword()); }