Store hash of session key
32f91557f898
Actions

Authored by Jakub Vrana <jakub@vrana.cz> on May 31 2013, 02:30.

Description

Store hash of session key

Summary:
This prevents security by obscurity.
If I have read-only access to the database then I can pretend to be any logged-in user.

I've used PhabricatorHash::digest() (even though we don't need salt as the hashed string is random) to be compatible with user log.

Test Plan:
Applied patch.
Verified I'm still logged in.
Logged out.
Logged in.

$ arc tasks

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Committed

Jakub Vrana <jakub@vrana.cz>

May 31 2013, 02:30

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPH4295de508fe2: Conpherence - add createthread method

Branches

Unknown

Tags

Unknown

Jakub Vrana <jakub@vrana.cz> committed rPH32f91557f898: Store hash of session key (authored by Jakub Vrana <jakub@vrana.cz>).May 31 2013, 02:30

				Path
	A			resources/sql/patches/20130530.sessionhash.php
	M			src/applications/base/controller/PhabricatorController.php
	M			src/applications/conduit/controller/PhabricatorConduitAPIController.php
	M			src/applications/people/storage/PhabricatorUser.php
	M			src/infrastructure/storage/patch/PhabricatorBuiltinPatchList.php