Opened 5 years ago

Last modified 10 months ago

#21076 assigned New feature

Offer the ability to store a hash of session IDs rather than the ID itself

Reported by: Tim Graham Owned by: Chris Griffin
Component: contrib.sessions Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

We should offer the ability to store a hash each session ID in the session backend rather the the ID itself. This hash should be reasonably fast, because it'll be re-computed for every request. Currently, if an attacker gains access to the session storage backend — which may easier than gaining access to the database — he can login as anyone on the site.

On a related note, we're inconsistent about whether or not we sign entries in the session backends. Some do, some don't. If we're hashing session keys by default, we should probably also sign everything by default.

Both of these things need an off-switch. There are a fair number of apps that rely on raw sessionids to provide cross-framework compatibility.

Change History (4)

comment:1 Changed 2 years ago by Rigel Di Scala

Owner: changed from nobody to Rigel Di Scala
Status: newassigned

comment:2 Changed 17 months ago by Chris Griffin

Owner: changed from Rigel Di Scala to Chris Griffin

comment:3 Changed 17 months ago by Chris Griffin

Has patch: set
Last edited 17 months ago by Tim Graham (previous) (diff)

comment:4 Changed 10 months ago by Carlton Gibson

Patch needs improvement: set

Aymeric reviewed this on the PR, leaving suggestions for improvement. Once those are (roughly) addressed please uncheck Patch needs improvement and we can have another look.

Note: See TracTickets for help on using tickets.
Back to Top