Added unneeded hashing operation on login with nonexistent user #216

merged 1 commit into from May 6, 2012


None yet
2 participants

michaelbrooks commented May 3, 2012

Currently, if a user submits an identity and password to the login form, and the identity is not in the database, the form returns an error immediately. If the identity is in the database, the supplied password is checked against the stored hash, which takes a fraction of a second longer.

However, the difference is noticeable (about 100ms on my machine, using bcrypt with 10 rounds), which means that it would be possible for someone to determine if an account exists by the amount of time it takes for the login form to be processed.

I added a call to hash_password to the login() method to make the processing time when the user doesn't exist more equitable.


benedmunds commented May 3, 2012

VERY good thinking dude. Thanks!


michaelbrooks commented May 5, 2012

So is this good to go?


benedmunds commented May 6, 2012

Sorry, I thought I merged it in.

benedmunds merged commit c578048 into benedmunds:2 May 6, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment