Hash nonce when using as file name

wouterj · wouterj · commit 673fd717330b · 2016-02-06T17:14:44.000+01:00
diff --git a/cookbook/security/custom_authentication_provider.rst b/cookbook/security/custom_authentication_provider.rst
@@ -256,14 +256,17 @@ the ``PasswordDigest`` header value matches with the user's password.
 
             // Validate that the nonce is *not* used in the last 5 minutes
             // if it has, this could be a replay attack
-            if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) {
+            if (
+                file_exists($this->cacheDir.'/'.md5($nonce))
+                && file_get_contents($this->cacheDir.'/'.md5($nonce)) + 300 > time()
+            ) {
                 throw new NonceExpiredException('Previously used nonce detected');
             }
             // If cache directory does not exist we create it
             if (!is_dir($this->cacheDir)) {
                 mkdir($this->cacheDir, 0777, true);
             }
-            file_put_contents($this->cacheDir.'/'.$nonce, time());
+            file_put_contents($this->cacheDir.'/'.md5($nonce), time());
 
             // Validate Secret
             $expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true));
