Project

General

Profile

Actions
Copy link

Feature #20577

closed

Create better session identifiers and add basic validation

Added by Oliver Hader almost 15 years ago. Updated about 13 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Christian Kuhn
Category:
-
Target version:
4.6.0
Start date:
2009-06-05
Due date:
% Done:

0%

Estimated time:
PHP Version:
5.2
Tags:
Complexity:
Sprint Focus:

Description

Current sesssion identifiers in TYPO3 are a MD5 representation of several parameters.
Due to several security requirements it might be necessary to have at least a 160bit session identifier (MD5 has only 128bit) - e.g. using SHA1 or SHA2.

Furthermore it should be ensured that a session identifier really was created by the TYPO3 system. It's not critical at all currently since a brute force attack against a 128bit value takes some time. However, the session id used in the cookie should have another hash that uses the encryption key to ensure that it really was created by the accordant TYPO3 website.

(issue imported from #M11280)

Files

0011280.patch (6.97 KB) 0011280.patch Administrator Admin, 2009-06-05 16:40

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #22369: Mitigate PHP's RNG vulnerabilityClosedHelmut Hummel2010-04-01

Actions
Actions
Copy link

Also available in: Atom PDF