hashPasswordForCookie triggers deprecation warning with passwordless users (null passed to hash_hmac) #58513
Description
Laravel Version
12.48.1
PHP Version
8.5.2
Database Driver & Version
MariaDB 11.8.5
Description
In applications with passwordless users, calling hashPasswordForCookie results in a deprecation warning:
hash_hmac(): Passing null to parameter #2 ($data) of type string is deprecated in vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php on line 635
This happens because, for passwordless users, the password is null, which gets passed directly to hash_hmac as the $data paramete.
Related/possibly relevant: PR #58107 refactored handling of password storage in session cookies, but I am unsure what would be the secure or intended approach when the user does not have a password at all. I do not want to introduce custom logic for empty passwords that weakens security or causes inconsistencies in session handling. However, I believe there might be more occurrences in the framework where passwordless users might be a problem as well.
What is the best secure way forward to support passwordless users while addressing this deprecation?
Steps To Reproduce
- Create a passwordless user (i.e., a user record where the password is
null). - Attempt to perform an authentication task that triggers
hashPasswordForCookie(such as using the "remember me" functionality). - Observe the following deprecation warning:
hash_hmac(): Passing null to parameter #2 ($data) of type string is deprecated in vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php on line 635 - The PHP version used is 8.5.
Expected: The framework should not produce deprecation warnings, and session/cookie security should remain strong even for users with no password set.