id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
21076	Offer the ability to store a hash of session IDs rather than the ID itself	Tim Graham		"We should offer the ability to store a hash each session ID in the session backend rather the the ID itself. This hash should be reasonably fast, because it'll be re-computed for every request. Currently, if an attacker gains access to the session storage backend — which may easier than gaining access to the database — he can login as anyone on the site.

On a related note, we're inconsistent about whether or not we sign entries in the session backends. Some do, some don't. If we're hashing session keys by default, we should probably also sign everything by default.

Both of these things need an off-switch. There are a fair number of apps that rely on raw sessionids to provide cross-framework compatibility."	New feature	new	contrib.sessions	dev	Normal			Aymeric Augustin Roman Donchenko	Accepted	0	0	0	0	0	0