hashPasswordForCookie triggers deprecation warning with passwordless users (null passed to hash_hmac)

[joostdebruijn]

Laravel Version

12.48.1

PHP Version

8.5.2

Database Driver & Version

MariaDB 11.8.5

Description

In applications with passwordless users, calling hashPasswordForCookie results in a deprecation warning:

hash_hmac(): Passing null to parameter #2 ($data) of type string is deprecated in vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php on line 635

This happens because, for passwordless users, the password is null, which gets passed directly to hash_hmac as the $data paramete.

Related/possibly relevant: PR #58107 refactored handling of password storage in session cookies, but I am unsure what would be the secure or intended approach when the user does not have a password at all. I do not want to introduce custom logic for empty passwords that weakens security or causes inconsistencies in session handling. However, I believe there might be more occurrences in the framework where passwordless users might be a problem as well.

What is the best secure way forward to support passwordless users while addressing this deprecation?

Steps To Reproduce

1. Create a passwordless user (i.e., a user record where the password is null).
2. Attempt to perform an authentication task that triggers hashPasswordForCookie (such as using the "remember me" functionality).
3. Observe the following deprecation warning:
   hash_hmac(): Passing null to parameter #2 ($data) of type string is deprecated in vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php on line 635
4. The PHP version used is 8.5.

Expected: The framework should not produce deprecation warnings, and session/cookie security should remain strong even for users with no password set.

[crynobone]

Moving this to Ideas as the contract clearly suggest password should always be a string:

framework/src/Illuminate/Contracts/Auth/Authenticatable.php

Lines 28 to 33 in fed40f0

	/**
	* Get the password for the user.
	*
	* @return string
	*/
	public function getAuthPassword();