working on avoiding timing attacks piece

app/models/user.rb

@@ -25,17 +25,28 @@ class User < ActiveRecord::Base
   def self.authenticate(email, password)
        auth = nil
        user = find_by_email(email)
-       if user
+        raise "#{email} doesn't exist!" if !(user)
          if user.password == Digest::MD5.hexdigest(password)
            auth = user
          else
           raise "Incorrect Password!"
          end 
-       else
-          raise "#{email} doesn't exist!"
-       end
        return auth
   end  
+   
+=begin
+  # More secure version, but still lacking a decent hashing routine
+  def self.authenticate(email, password)
+       user = find_by_email(email)
+        if user and Rack::Utils.secure_compare(user.password, Digest::MD5.hexdigest(password))
+          return user
+        else
+          raise "Incorrect username or password"
+        end 
+   end
+=end   
+
+
     
   def assign_user_id
      unless @skip_user_id_assign.present? || self.user_id.present?

app/views/layouts/tutorial/broken_auth_sess/_insecure_compare.html.erb

@@ -0,0 +1,69 @@
+<div class="widget">
+    <div class="widget-header">
+      <div class="title">
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A3 - Broken Authentication and Session Management - Insecure Compare and Timing Attacks
+      </div>
+    </div>
+    <div class="widget-body">
+      <div id="accordion1" class="accordion no-margin">
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapsePwdOne" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-info icon-white">
+              </i>
+              Description
+            </a>
+          </div>
+          <div class="accordion-body in collapse" id="collapsePwdOne" style="height: auto;">
+            <div class="accordion-inner">
+              
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapsePwdTwo" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-bug icon-white">
+              </i>
+              Bug
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapsePwdTwo" style="height: 0px;">
+            <div class="accordion-inner">
+	          	
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapsePwdThree" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-lightning icon-white">
+              </i>
+              Solution
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapsePwdThree" style="height: 0px;">
+            <div class="accordion-inner">
+             
+            </div>
+          </div>
+        </div>
+		<div class="accordion-group">
+          <div class="accordion-heading">
+            <a  style="background-color: rgb(181, 121, 158)" href="#collapsePwdFour" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-aid icon-white">
+              </i>
+              Hint
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapsePwdFour" style="height: 0px;">
+            <div class="accordion-inner">
+				<p class="desc">
+				
+				</p>	
+             </div>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>

app/views/tutorials/broken_auth.html.erb

@@ -10,6 +10,11 @@
 		      <%= render :partial => ("layouts/tutorial/broken_auth_sess/password_complexity")%>
 		    </div> <!-- End Span12-->
 		</div>
+		<div class="row-fluid">
+		    <div class="span12">
+		      <%= render :partial => ("layouts/tutorial/broken_auth_sess/insecure_compare")%>
+		    </div> <!-- End Span12-->
+		</div>
 	</div>
 </div>