team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

still working on the timing attack prevention tutorial

Browse Source
This commit is contained in:
cktricky
2013-08-18 17:39:13 -04:00
parent 979b6a229a
commit 3c7a3fc9e4
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/models/user.rb
+3 -3
View File
@@ -35,10 +35,10 @@ class User < ActiveRecord::Base
end end
=begin =begin
# More secure version, but still lacking a decent hashing routine # More secure version, still lacking a decent hashing routine, this is for timing attack prevention
def self.authenticate(email, password) def self.authenticate(email, password)
user = find_by_email(email) user = find_by_email(email) || User.new(:password => '')
if user and Rack::Utils.secure_compare(user.password, Digest::MD5.hexdigest(password)) if Rack::Utils.secure_compare(user.password, Digest::MD5.hexdigest(password))
return user return user
else else
raise "Incorrect username or password" raise "Incorrect username or password"