Closed sonjaq closed 6 years ago
What's the security concern here? The purpose of that line is to add a consistent delay in the response for when a user tries to login with no username or the user doesn't have an existing password to help prevent timing-based attack vectors.
So it just spins some CPU cycles like it would if a password were actually entered.
Got it. I misunderstand the logic flow there. Thank you for explaining the reasoning for the hardcoded string.
Description
While working on a client project using Craft3, I noticed that
UsersController#actionLogin()
uses a hard-coded hash. When reviewing with my tech lead, we both felt iffy about having the hard-coded value in there. I feel good about the use ofpassword_hash()
andpassword_verify()
, but it is ideal that this value be configurable.Steps to reproduce
UsersController#actionLogin()
source code at https://github.com/craftcms/cms/blob/develop/src/controllers/UsersController.php#L118Requested
The hash can be influenced via a configuration file (
config/general.php
?) or ENV setting.Additional info
This behavior existed in previous versions of Craft in
etc/users/UserIdentity.php