Last checked and updated on April 20, 2026What Is New in CakePHP 2.5
CakePHP 2.5 introduces several key updates focused on security enhancements, new features, and deprecations to prepare for the future. The changes are incremental, ensuring backward compatibility while nudging developers towards modern practices. Below is a summary of the main changes.
| Category | Key Changes |
|---|---|
| Security | New password hashing algorithm (bcrypt), Form tampering protection, Secure cookie defaults. |
| New Features | New PasswordHasher class, Lazy loading for associations, Improved Console output. |
| Improvements | Better exception messages, Session handling, i18n and Validation enhancements. |
| Deprecated | Security.salt behavior, AuthComponent password hashing, Several methods in core classes. |
| Bug Fixes | Various fixes across Routing, Console, Database, and View layers. |
How Did Password Security Improve?
The most significant upgrade is the move to bcrypt for password hashing. Previously, the framework used a weaker SHA1-based method. Now, the new PasswordHasher class provides a consistent, future-proof way to handle hashes.
In practice, this means new applications get strong security by default. Existing passwords remain valid as AuthComponent will upgrade them on the next successful login. This is a seamless but critical improvement for application security.
Form Tampering Protection
FormHelper now automatically includes a hash of the form's expected fields to prevent field tampering. This is enabled by default, adding a layer of protection without extra work from the developer.
What New Features Should I Use?
Lazy loading for associations is a welcome addition. You can now mark associations as 'lazy' => true in Model definitions. This defers loading related data until you actually request it, which can optimize performance in complex views.
The Console library got a refresh with ConsoleOutput and ConsoleInput classes. They offer more control and better testing capabilities for shell output and user input handling. It's a cleaner abstraction for building command-line tools.
// Example: Defining a lazy association
public $hasMany = array(
'Comment' => array(
'className' => 'Comment',
'lazy' => true
)
);What Was Deprecated and Why?
Several features were marked for removal in future versions to clean up the API. The way the Security.salt is used for password hashing is now deprecated in favor of the new PasswordHasher system.
AuthComponent's internal hashing methods are also deprecated. You should use the PasswordHasher class directly if you need to manage passwords outside of Auth. This change centralizes password logic in one, well-tested spot.
Security::hash()for passwords is deprecated.Controller::redirectUrl()is deprecated.Stringclass methods are deprecated in favor of theCakeTextclass.
Were There Any Behavior Changes?
Yes, some default behaviors changed for security and consistency. Cookies are now set with the HttpOnly and Secure flags by default when the request is HTTPS. This helps mitigate certain client-side attack vectors.
Session timeouts and cookie handling are more predictable. The Session.timeout setting now more accurately reflects when a session becomes invalid, which matters for applications with strict session management needs.
Validation rules for email and URL fields were updated to be more strict by default, aligning with current RFC standards. This might cause validation failures for older, malformed data--something to check during upgrade.
FAQ
Do I have to immediately change all my passwords after upgrading to 2.5?
No. The AuthComponent will automatically re-hash a user's password with bcrypt the next time they log in successfully. Your existing SHA1 hashes will continue to work until they are upgraded.
How do I enable the new form tampering protection?
It's enabled by default when you use FormHelper to create forms. If you need to disable it for a specific form, you can set 'secure' => false in the form options.
What should I use instead of the deprecated String class?
Use the new CakeText class. For example, change String::uuid() to CakeText::uuid(). The old methods currently work but will throw deprecation notices.
Does lazy loading of associations affect my existing find() calls?
No, it only applies to associations where you explicitly set 'lazy' => true. Existing queries and containable behavior work exactly as before.
Are the new secure cookie defaults going to break my HTTP site?
No. The Secure flag for cookies is only automatically set if the current request is made over HTTPS. For HTTP sites, the flag remains false, so cookies will work as expected.