[CORE] Add timing safe backwards compatible password_verify

This commit is contained in:
Daniel Supernault 2018-03-11 18:55:59 -06:00 committed by Diogo Cordeiro
parent 1049080df5
commit ad51998d67

View File

@ -52,6 +52,13 @@ class AuthCryptPlugin extends AuthenticationPlugin
return false;
}
// Timing safe password verification on supported PHP versions
if (function_exists('password_verify')) {
if (password_verify($password, $user->password)) {
return $user;
}
}
// crypt understands what the salt part of $user->password is
if ($user->password === crypt($password, $user->password)) {
return $user;