stable
Clone or download
request #9578: Session tokens are stored in clear in the database
The goal of this contribution is to: * limit the impact of a leak of the session table * prevent timing attack existing with the current implementation In order to do that we hash the session token before storing it. Unlike passwords, we use a fast cryptographic hash function to limit the impact on performance. Also, the token is a large cryptographic random value so even with a fast hash function the bruteforce is not easy. You basically have to bruteforce the whole keyspace of the random value or find a collision in the hash function. Since we are not able to compare the token provided by the user and the one stored in constant time using the database engine, we need something to select the proper session before checking the token. This implies that all existing sessions will be invalidated by this change. Change-Id: Ic3ee00c9f4277aae57aa4f41f85dd201da61bac7
Modified Files
Name | ||||
---|---|---|---|---|
M | src/common/autoload.php | +6 | −3 | Go to diff View file |
M | src/common/dao/SessionDao.class.php | +39 | −1 | Go to diff View file |
M | src/common/dao/UserDao.class.php | +0 | −59 | Go to diff View file |
A | src/common/user/InvalidSessionException.php | +27 | −0 | Go to diff View file |
A | src/common/user/SessionDataAccessException.php | +27 | −0 | Go to diff View file |
A | src/common/user/SessionManager.php | +147 | −0 | Go to diff View file |
M | src/common/user/SessionNotCreatedException.class.php | +9 | −4 | Go to diff View file |
M | src/common/user/UserManager.class.php | +47 | −42 | Go to diff View file |
M | src/common/user/User_SOAPServer.class.php | +2 | −0 | Go to diff View file |
M | src/db/mysql/database_structure.sql | +4 | −5 | Go to diff View file |
A | src/db/mysql/updates/2016/201609131045_update_session_management.php | +62 | −0 | Go to diff View file |
M | src/utils/include.py | +11 | −0 | Go to diff View file |
M | src/utils/session.py | +16 | −6 | Go to diff View file |
A | tests/simpletest/common/user/SessionManagerTest.php | +160 | −0 | Go to diff View file |
M | tests/simpletest/common/user/UserManagerTest.php | +32 | −205 | Go to diff View file |
M | tests/simpletest/common/user/User_SOAPServerTest.php | +3 | −1 | Go to diff View file |