From 3c7a3fc9e4af9513b4a3923c2f7a247972cb2b69 Mon Sep 17 00:00:00 2001
From: cktricky <ken.johnson@nvisiumsecurity.com>
Date: Sun, 18 Aug 2013 17:39:13 -0400
Subject: [PATCH] still working on the timing attack prevention tutorial

---
 app/models/user.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index f5030fd..18d1cf1 100755
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -35,10 +35,10 @@ class User < ActiveRecord::Base
   end  
    
 =begin
-  # More secure version, but still lacking a decent hashing routine
+  # More secure version, still lacking a decent hashing routine, this is for timing attack prevention
   def self.authenticate(email, password)
-       user = find_by_email(email)
-        if user and Rack::Utils.secure_compare(user.password, Digest::MD5.hexdigest(password))
+       user = find_by_email(email) || User.new(:password => '')
+        if Rack::Utils.secure_compare(user.password, Digest::MD5.hexdigest(password))
           return user
         else
           raise "Incorrect username or password"