http://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692016-05-27T15:07:57ZTYPO3 ForgeTYPO3 Core - Feature #71739: Security Improvement: (salted) hash session id before storing in the databasehttp://forge.typo3.org/issues/71739?journal_id=3053652016-05-27T15:07:57ZHelmut Hummeltypo3@helhum.io
<ul><li><strong>Tags</strong> set to <i>security</i></li></ul> TYPO3 Core - Feature #71739: Security Improvement: (salted) hash session id before storing in the databasehttp://forge.typo3.org/issues/71739?journal_id=3053802016-05-27T15:53:02ZHelmut Hummeltypo3@helhum.io
<ul><li><strong>Category</strong> set to <i>Security</i></li></ul> TYPO3 Core - Feature #71739: Security Improvement: (salted) hash session id before storing in the databasehttp://forge.typo3.org/issues/71739?journal_id=3249122017-02-23T14:55:32ZRiccardo De Contardierredeco@gmail.com
<ul><li><strong>Target version</strong> changed from <i>8 LTS</i> to <i>9.0</i></li></ul> TYPO3 Core - Feature #71739: Security Improvement: (salted) hash session id before storing in the databasehttp://forge.typo3.org/issues/71739?journal_id=3560742018-01-28T14:41:24ZSusanne Moogsusanne.moog@typo3.org
<ul><li><strong>Target version</strong> changed from <i>9.0</i> to <i>9 LTS</i></li></ul> TYPO3 Core - Feature #71739: Security Improvement: (salted) hash session id before storing in the databasehttp://forge.typo3.org/issues/71739?journal_id=3726262018-09-06T14:07:48ZSusanne Moogsusanne.moog@typo3.org
<ul><li><strong>Target version</strong> changed from <i>9 LTS</i> to <i>Candidate for Major Version</i></li></ul> TYPO3 Core - Feature #71739: Security Improvement: (salted) hash session id before storing in the databasehttp://forge.typo3.org/issues/71739?journal_id=4667892022-04-04T17:05:29ZTorben Hansenderhansen@gmail.com
<ul><li><strong>Status</strong> changed from <i>Accepted</i> to <i>Closed</i></li></ul><p>I checked this for the following:</p>
<p><strong>Session ids</strong></p>
<p>Session id is not persisted as clear text. Instead a salted hash is saved to the DB since the following TYPO3 security releases:</p>
<ul>
<li><a class="external" href="https://typo3.org/security/advisory/typo3-core-sa-2020-011">https://typo3.org/security/advisory/typo3-core-sa-2020-011</a></li>
<li><a class="external" href="https://typo3.org/security/advisory/typo3-core-sa-2021-006">https://typo3.org/security/advisory/typo3-core-sa-2021-006</a></li>
</ul>
<p><strong>fe_users password reset token</strong></p>
<p>Salted hash of password reset token is saved.</p>
<p><strong>be_users password reset token</strong></p>
<p>Salted hash of password reset token is saved.</p>
<p>The feature can therefore be considered as implemented and the ticket can be closed.</p>