still working on the timing attack prevention tutorial

2013-08-18 17:39:13 -04:00
parent 979b6a229a
commit 3c7a3fc9e4
1 changed files with 3 additions and 3 deletions
@@ -35,10 +35,10 @@ class User < ActiveRecord::Base
  end  
   
 =begin
-  # More secure version, but still lacking a decent hashing routine
+  # More secure version, still lacking a decent hashing routine, this is for timing attack prevention
  def self.authenticate(email, password)
-       user = find_by_email(email)
-        if user and Rack::Utils.secure_compare(user.password, Digest::MD5.hexdigest(password))
+       user = find_by_email(email) || User.new(:password => '')
+        if Rack::Utils.secure_compare(user.password, Digest::MD5.hexdigest(password))
          return user
        else
          raise "Incorrect username or password"