Actions
Feature #71739
closed
Security Improvement: (salted) hash session id before storing in the database
Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
Start date:
2015-11-20
Due date:
% Done:
0%
Estimated time:
PHP Version:
Tags:
security
Complexity:
Sprint Focus:
Description
To make it harder to exploit read SQL injections, session id should not be stored in "clear text"
Besides that all other similar hashes (e.g. password reset hash) should be treated in the same way
Updated by
Updated by Riccardo De Contardi about 7 years ago
- Target version changed from 8 LTS to 9.0
Updated by Susanne Moog about 6 years ago
- Target version changed from 9.0 to 9 LTS
Updated by Susanne Moog over 5 years ago
- Target version changed from 9 LTS to Candidate for Major Version
Updated by Torben Hansen about 2 years ago
- Status changed from Accepted to Closed
I checked this for the following:
Session ids
Session id is not persisted as clear text. Instead a salted hash is saved to the DB since the following TYPO3 security releases:
- https://typo3.org/security/advisory/typo3-core-sa-2020-011
- https://typo3.org/security/advisory/typo3-core-sa-2021-006
fe_users password reset token
Salted hash of password reset token is saved.
be_users password reset token
Salted hash of password reset token is saved.
The feature can therefore be considered as implemented and the ticket can be closed.
Actions