Project

General

Profile

Actions
Copy link

Feature #71739

closed

Security Improvement: (salted) hash session id before storing in the database

Added by Helmut Hummel about 9 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
Candidate for Major Version
Start date:
2015-11-20
Due date:
% Done:

0%

Estimated time:
PHP Version:
Tags:
security
Complexity:
Sprint Focus:

Description

To make it harder to exploit read SQL injections, session id should not be stored in "clear text"

Besides that all other similar hashes (e.g. password reset hash) should be treated in the same way

Actions
Copy link
 #1

Updated by Helmut Hummel over 8 years ago

  • Tags set to security
Actions
Copy link
 #2

Updated by Helmut Hummel over 8 years ago

  • Category set to Security
Actions
Copy link
 #3

Updated by Riccardo De Contardi over 7 years ago

  • Target version changed from 8 LTS to 9.0
Actions
Copy link
 #4

Updated by Susanne Moog almost 7 years ago

  • Target version changed from 9.0 to 9 LTS
Actions
Copy link
 #5

Updated by Susanne Moog about 6 years ago

  • Target version changed from 9 LTS to Candidate for Major Version
Actions
Copy link
 #6

Updated by Torben Hansen over 2 years ago

  • Status changed from Accepted to Closed

I checked this for the following:

Session ids

Session id is not persisted as clear text. Instead a salted hash is saved to the DB since the following TYPO3 security releases:

fe_users password reset token

Salted hash of password reset token is saved.

be_users password reset token

Salted hash of password reset token is saved.

The feature can therefore be considered as implemented and the ticket can be closed.

Actions
Copy link

Also available in: Atom PDF