Feature #20577

Create better session identifiers and add basic validation

Added by Oliver Hader almost 12 years ago. Updated about 10 years ago.

Should have
Target version:
Start date:
Due date:
% Done:


Estimated time:
PHP Version:
Sprint Focus:


Current sesssion identifiers in TYPO3 are a MD5 representation of several parameters.
Due to several security requirements it might be necessary to have at least a 160bit session identifier (MD5 has only 128bit) - e.g. using SHA1 or SHA2.

Furthermore it should be ensured that a session identifier really was created by the TYPO3 system. It's not critical at all currently since a brute force attack against a 128bit value takes some time. However, the session id used in the cookie should have another hash that uses the encryption key to ensure that it really was created by the accordant TYPO3 website.

(issue imported from #M11280)


0011280.patch (6.97 KB) 0011280.patch Administrator Admin, 2009-06-05 16:40

Related issues

Related to TYPO3 Core - Bug #22369: Mitigate PHP's RNG vulnerabilityClosedHelmut Hummel2010-04-01


Updated by Marcus Krause about 11 years ago

Hi Oliver!

Could you please outline what "better session identifiers" means?
  • Is it about "longer" SIDs?
  • Is it about "more entropy" in SIDs?

Making a SID longer does not necessarily means "make them more unique"!

This patch does both; extending the SID length and adding more entropy.


Updated by Ernesto Baschny over 10 years ago

Hi Olly, could you give some feedback on this issue?


Updated by Helmut Hummel over 10 years ago

The session identifyer creation is now in a separated method and could be changed easily.

However, Olly can you give us some feedback what your intention was creating this ticket?


Updated by Christian Kuhn over 10 years ago

Resolved, no change required: No more details given.

Also available in: Atom PDF