Merge pull request #1393 from markstory/constant-time-login

Hash passwords even when users don't exist.
This commit is contained in:
José Lorenzo Rodríguez 2013-07-03 13:49:03 -07:00
commit 9c4775a220
2 changed files with 6 additions and 4 deletions

View file

@ -83,6 +83,9 @@ abstract class BaseAuthenticate {
* conditions for Model::find('first'). If the $password param is not provided
* the password field will be present in returned array.
*
* Input passwords will be hashed even when a user doesn't exist. This
* helps mitigate timing attacks that are attempting to find valid usernames.
*
* @param string|array $username The username/identifier, or an array of find conditions.
* @param string $password The password, only used if $username param is string.
* @return boolean|array Either false on failure, or an array of user data.
@ -95,9 +98,6 @@ abstract class BaseAuthenticate {
if (is_array($username)) {
$conditions = $username;
} else {
if (!$password) {
return false;
}
$conditions = array(
$model . '.' . $fields['username'] => $username
);
@ -113,6 +113,7 @@ abstract class BaseAuthenticate {
'contain' => $this->settings['contain'],
));
if (empty($result[$model])) {
$this->passwordHasher()->hash($password);
return false;
}

View file

@ -86,7 +86,8 @@ class DigestAuthenticate extends BasicAuthenticate {
'realm' => '',
'qop' => 'auth',
'nonce' => '',
'opaque' => ''
'opaque' => '',
'passwordHasher' => 'Simple',
);
/**