Project

General

Profile

Actions

Feature #71739

closed

Security Improvement: (salted) hash session id before storing in the database

Added by Helmut Hummel about 9 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Security
Start date:
2015-11-20
Due date:
% Done:

0%

Estimated time:
PHP Version:
Tags:
security
Complexity:
Sprint Focus:

Description

To make it harder to exploit read SQL injections, session id should not be stored in "clear text"

Besides that all other similar hashes (e.g. password reset hash) should be treated in the same way

Actions #1

Updated by Helmut Hummel over 8 years ago

  • Tags set to security
Actions #2

Updated by Helmut Hummel over 8 years ago

  • Category set to Security
Actions #3

Updated by Riccardo De Contardi over 7 years ago

  • Target version changed from 8 LTS to 9.0
Actions #4

Updated by Susanne Moog almost 7 years ago

  • Target version changed from 9.0 to 9 LTS
Actions #5

Updated by Susanne Moog about 6 years ago

  • Target version changed from 9 LTS to Candidate for Major Version
Actions #6

Updated by Torben Hansen over 2 years ago

  • Status changed from Accepted to Closed

I checked this for the following:

Session ids

Session id is not persisted as clear text. Instead a salted hash is saved to the DB since the following TYPO3 security releases:

fe_users password reset token

Salted hash of password reset token is saved.

be_users password reset token

Salted hash of password reset token is saved.

The feature can therefore be considered as implemented and the ticket can be closed.

Actions

Also available in: Atom PDF