add random delay on login dokuwiki#4491

splitbrain · splitbrain · commit e37d2b418f45 · 2025-07-30T09:08:29.000+02:00
This is meant to mitigate timing attacks on the login mechanism.
diff --git a/inc/auth.php b/inc/auth.php
@@ -305,6 +305,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false)
 
     if (!empty($user)) {
         //usual login
+        if (!empty($pass)) usleep(rand(0, 250)); // add a random delay to prevent timing attacks #4491
         if (!empty($pass) && $auth->checkPass($user, $pass)) {
             // make logininfo globally available
             $INPUT->server->set('REMOTE_USER', $user);
