• Christian Kuhn's avatar
    [TASK] Increase session id db field size · e4eee470
    Christian Kuhn authored and Benni Mack's avatar Benni Mack committed
    Since one of the recent security patches, frontend and
    backend user sessions are stored as HMAC-SHA256 if using
    redis storage backend, and HMAC-MD5 if using default
    database storage backend.
    Reason for using the less collision resistant md5 in
    database backend over sha256 has been, that the 64
    characters of sha256 did not fit into the varchar(32)
    field of the ses_id fields. This would have led to
    trouble for users upgrading to the security patch level
    We now increase the field size to varchar(255) with this
    patch, and backport this to v10. A second patch will then
    switch only v11/master to sha256. This way, users
    can increase db field size in v10 already to prepare for
    v11 and later upgrade to v11 without being logged out or
    experiencing db errors. Only users running current
    master will have to use the standalone install tool once
    to increase field size.
    Strictly, a field size of 64 characters would be enough
    for sha256, we however raise to 255 to never run into
    this chicken-egg issue again - just in case.
    Resolves: #93131
    Releases: master, 10.4
    Change-Id: Ifcafba0c3bae2f27ba0e13e6925007a6e1627d88
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67218
    Tested-by: default avatarTYPO3com <noreply@typo3.com>
    Tested-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
    Tested-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
    Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
    Reviewed-by: Oliver Klee's avatarOliver Klee <typo3-coding@oliverklee.de>
    Reviewed-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>