Code

Opened 8 months ago

#21076 new New feature

Offer the ability to store a hash of session IDs rather than the ID itself

Reported by: timo Owned by: nobody
Component: contrib.sessions Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

We should offer the ability to store a hash each session ID in the session backend rather the the ID itself. This hash should be reasonably fast, because it'll be re-computed for every request. Currently, if an attacker gains access to the session storage backend — which may easier than gaining access to the database — he can login as anyone on the site.

On a related note, we're inconsistent about whether or not we sign entries in the session backends. Some do, some don't. If we're hashing session keys by default, we should probably also sign everything by default.

Both of these things need an off-switch. There are a fair number of apps that rely on raw sessionids to provide cross-framework compatibility.

Attachments (0)

Change History (0)

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as new
The owner will be changed from nobody to anonymous. Next status will be 'assigned'
as The resolution will be set. Next status will be 'closed'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.