search

craftcms / cms

Build bespoke content experiences with Craft.
https://craftcms.com
Other
3.21k stars 624 forks source link

Feature request: Configurable hash in craft\controllers\UsersController#actionLogin() #2233

Closed sonjaq closed 6 years ago

sonjaq commented 6 years ago

Description

While working on a client project using Craft3, I noticed that UsersController#actionLogin() uses a hard-coded hash. When reviewing with my tech lead, we both felt iffy about having the hard-coded value in there. I feel good about the use of password_hash() and password_verify(), but it is ideal that this value be configurable.

Steps to reproduce

  1. Review the UsersController#actionLogin() source code at https://github.com/craftcms/cms/blob/develop/src/controllers/UsersController.php#L118
  2. Observe hard-coded hash value

Requested

The hash can be influenced via a configuration file (config/general.php?) or ENV setting.

Additional info

This behavior existed in previous versions of Craft in etc/users/UserIdentity.php

angrybrad commented 6 years ago

What's the security concern here? The purpose of that line is to add a consistent delay in the response for when a user tries to login with no username or the user doesn't have an existing password to help prevent timing-based attack vectors.

So it just spins some CPU cycles like it would if a password were actually entered.

sonjaq commented 6 years ago

Got it. I misunderstand the logic flow there. Thank you for explaining the reasoning for the hardcoded string.