Commit 5b953128 authored by Christian Kuhn's avatar Christian Kuhn Committed by Oliver Hader
Browse files

[TASK] Switch to sha256 in database session storage

With increased DB ses_id field size we can switch
from HMAC-MD5 to HMAC-SHA256 in master.

Resolves: #93136
Related: #93131
Releases: master
Change-Id: Ie6151bf1c396863290260dc0d504a25373a52725
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67221

Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
parent 27881b60
......@@ -79,8 +79,7 @@ class DatabaseSessionBackend implements SessionBackendInterface, HashableSession
{
// The sha1 hash ensures we have good length for the key.
$key = sha1($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] . 'core-session-backend');
// @todo md5 is used as be_sessions.ses_id field only supports 32 characters in stable branches
return hash_hmac('md5', $sessionId, $key);
return hash_hmac('sha256', $sessionId, $key);
}
/**
......
<?xml version="1.0" encoding="utf-8"?>
<dataset>
<be_sessions>
<!-- hash_hmac('md5', '886526ce72b86870739cc41991144ec1', sha1('iAmInvalid' . 'core-session-backend')) -->
<ses_id>a7475832dbc0aa7ed07bb1f800520d16</ses_id>
<!-- hash_hmac('sha256', '886526ce72b86870739cc41991144ec1', sha1('iAmInvalid' . 'core-session-backend')) -->
<ses_id>9869d429fc72742a476d5073d006d45dfb732962d9c024423efafef537e1c5bd</ses_id>
<ses_iplock>[DISABLED]</ses_iplock>
<ses_userid>1</ses_userid>
<ses_tstamp>1777777777</ses_tstamp>
<ses_data></ses_data>
</be_sessions>
<be_sessions>
<!-- hash_hmac('md5', 'ff83dfd81e20b34c27d3e97771a4525a', sha1('iAmInvalid' . 'core-session-backend')) -->
<ses_id>b99a7e54850ef064b7181d0de7d67900</ses_id>
<!-- hash_hmac('sha256', 'ff83dfd81e20b34c27d3e97771a4525a', sha1('iAmInvalid' . 'core-session-backend')) -->
<ses_id>f4c02f70058e79a8e7b523a266d4291007deacba6b2ca2536dd72d2fbb23696a</ses_id>
<ses_iplock>[DISABLED]</ses_iplock>
<ses_userid>2</ses_userid>
<ses_tstamp>1777777777</ses_tstamp>
......
......@@ -37,7 +37,7 @@ class DatabaseSessionBackendTest extends FunctionalTestCase
*/
protected $testSessionRecord = [
// DatabaseSessionBackend::hash('randomSessionId') with encryption key 12345
'ses_id' => '76898588caa1baee7984f4dc8adfed3b',
'ses_id' => '21c0e911565a67315cdc384889c470fd291feafbfa62e31ecf7409430640bc7a',
'ses_userid' => 1,
// serialize(['foo' => 'bar', 'boo' => 'far'])
'ses_data' => 'a:2:{s:3:"foo";s:3:"bar";s:3:"boo";s:3:"far";}',
......@@ -76,7 +76,7 @@ class DatabaseSessionBackendTest extends FunctionalTestCase
$expected = array_merge($this->testSessionRecord, ['ses_tstamp' => $GLOBALS['EXEC_TIME']]);
self::assertEquals($record, $expected);
self::assertEquals($expected, $record);
self::assertSame($expected['ses_data'], $this->subject->get('randomSessionId')['ses_data']);
self::assertSame($expected['ses_userid'], (int)$this->subject->get('randomSessionId')['ses_userid']);
}
......@@ -90,7 +90,7 @@ class DatabaseSessionBackendTest extends FunctionalTestCase
$expected = array_merge($this->testSessionRecord, ['ses_userid' => 0, 'ses_tstamp' => $GLOBALS['EXEC_TIME']]);
self::assertEquals($record, $expected);
self::assertEquals($expected, $record);
self::assertSame($expected['ses_data'], $this->subject->get('randomSessionId')['ses_data']);
self::assertSame($expected['ses_userid'], (int)$this->subject->get('randomSessionId')['ses_userid']);
}
......
......@@ -33,17 +33,17 @@ class SessionManagerTest extends FunctionalTestCase
protected $testSessionRecords = [
'randomSessionId1' => [
// DatabaseSessionBackend::hash('randomSessionId1') with encryption key 12345
'ses_id' => 'e1ad65e4bad3c29e12c754c8e9f5927e',
'ses_id' => '92728358061fb01f95498e33ec4661e1edac4b59c18a06f2f80047747c749515',
'ses_userid' => 1,
],
'randomSessionId2' => [
// DatabaseSessionBackend::hash('randomSessionId2') with encryption key 12345
'ses_id' => '72b1cf1fccc010ddb760c6db03f668db',
'ses_id' => '531b1305780519abe3e2c6b8857d2efc51ed1944242a597c0b2dd76f94876897',
'ses_userid' => 1,
],
'randomSessionId3' => [
// DatabaseSessionBackend::hash('randomSessionId3') with encryption key 12345
'ses_id' => '7ee0836849b95d884108486c4a8973f3',
'ses_id' => '696a4c67e53a429327c82f09eaf20b2c634deed68a96d5c1d6cc28cf3d009654',
'ses_userid' => 2,
]
];
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment