I am building an application that is sensitive to timing attacks. I was thinking of instead of making an "if tree" where you nest if statement, just run all of the if statements, and then check all of the conditions at the end, like so:
if (password_verify($pass, $hash)){
$cond1 = true
}else{
$cond1 = false
}
// some more ifs that run in serial
if ($cond1 && $cond2 && cond3 ... etc){
// some code
}
But I believe that the final if statement will still be vulnerable because PHP cuts if statement evaluation short if there is some condition that would fail the entire statement. How can I work around this?
Aucun commentaire:
Enregistrer un commentaire