Offer the ability to store a hash of session IDs rather than the ID itself
|Reported by:||Tim Graham||Owned by:||Rigel Di Scala|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
We should offer the ability to store a hash each session ID in the session backend rather the the ID itself. This hash should be reasonably fast, because it'll be re-computed for every request. Currently, if an attacker gains access to the session storage backend — which may easier than gaining access to the database — he can login as anyone on the site.
On a related note, we're inconsistent about whether or not we sign entries in the session backends. Some do, some don't. If we're hashing session keys by default, we should probably also sign everything by default.
Both of these things need an off-switch. There are a fair number of apps that rely on raw sessionids to provide cross-framework compatibility.