The user_pass_rehash() function now requires the user account ID to be passed in

The user_pass_rehash() function is used for generating time-dependent per-user links, for example one-time login links.

In Backdrop 1.0.5, a new parameter was added to this function to fix security issues (see SA-CORE-2015-001); the user account ID should now be passed in.

Before:

<?php
$timestamp = REQUEST_TIME;
$account = user_load($uid);
$hash = user_pass_rehash($account->pass, time(), $account->login);
?>

After:

<?php
$timestamp = REQUEST_TIME;
$account = user_load($uid);
$hash = user_pass_rehash($account->pass, time(), $account->login, $account->uid);
?>

If code is not updated for this change, Backdrop will generate a PHP warning every time it is called. For backwards compatibility, the generated hash will still work correctly when it is possible to securely do so; however on some sites and in some situations the hashes will not work correctly until the code has been updated to pass in the user ID.

Introduced in branch:

1.0.x

Introduced in version:

1.0.5

Impacts:

Module developers