Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
[5.5] [Security] Close `remember_me` Timing Attack Vector #21320
Since the default is for the token to be stored as a cookie and for cookies to be encrypted, an attacker would have to know the application secret to exploit this. However, should a custom guard be used or cookies not be encrypted, it becomes possible to tease this value out.
The proposed change switches to comparing the token using a constant-time comparison. This makes it impossible to learn the value of the token by timing responses, independently of guard or encryption settings.
Sep 21, 2017
After upgrading I get this error:
In this line:
Security updates stopped in January for 5.4.