-
Since one of the recent security patches, frontend and backend user sessions are stored as HMAC-SHA256 if using redis storage backend, and HMAC-MD5 if using default database storage backend. Reason for using the less collision resistant md5 in database backend over sha256 has been, that the 64 characters of sha256 did not fit into the varchar(32) field of the ses_id fields. This would have led to trouble for users upgrading to the security patch level releases. We now increase the field size to varchar(255) with this patch, and backport this to v10. A second patch will then switch only v11/master to sha256. This way, users can increase db field size in v10 already to prepare for v11 and later upgrade to v11 without being logged out or experiencing db errors. Only users running current master will have to use the standalone install tool once to increase field size. Strictly, a field size of 64 characters would be enough for sha256, we however raise to 255 to never run into this chicken-egg issue again - just in case. Resolves: #93131 Releases: master, 10.4 Change-Id: Ifcafba0c3bae2f27ba0e13e6925007a6e1627d88 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67199 Tested-by:
TYPO3com <noreply@typo3.com> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
ef816532
