Commit ef816532 authored by Christian Kuhn's avatar Christian Kuhn Committed by Benni Mack
Browse files

[TASK] Increase session id db field size

Since one of the recent security patches, frontend and
backend user sessions are stored as HMAC-SHA256 if using
redis storage backend, and HMAC-MD5 if using default
database storage backend.

Reason for using the less collision resistant md5 in
database backend over sha256 has been, that the 64
characters of sha256 did not fit into the varchar(32)
field of the ses_id fields. This would have led to
trouble for users upgrading to the security patch level
releases.

We now increase the field size to varchar(255) with this
patch, and backport this to v10. A second patch will then
switch only v11/master to sha256. This way, users
can increase db field size in v10 already to prepare for
v11 and later upgrade to v11 without being logged out or
experiencing db errors. Only users running current
master will have to use the standalone install tool once
to increase field size.

Strictly, a field size of 64 characters would be enough
for sha256, we however raise to 255 to never run into
this chicken-egg issue again - just in case.

Resolves: #93131
Releases: master, 10.4
Change-Id: Ifcafba0c3bae2f27ba0e13e6925007a6e1627d88
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67199

Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Reviewed-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
parent b75ae535
......@@ -26,7 +26,7 @@ CREATE TABLE be_groups (
# Table structure for table 'be_sessions'
#
CREATE TABLE be_sessions (
ses_id varchar(32) DEFAULT '' NOT NULL,
ses_id varchar(255) DEFAULT '' NOT NULL,
ses_iplock varchar(39) DEFAULT '' NOT NULL,
ses_userid int(11) unsigned DEFAULT '0' NOT NULL,
ses_tstamp int(11) unsigned DEFAULT '0' NOT NULL,
......
......@@ -26,7 +26,7 @@ CREATE TABLE fe_groups (
# Table structure for table 'fe_sessions'
#
CREATE TABLE fe_sessions (
ses_id varchar(32) DEFAULT '' NOT NULL,
ses_id varchar(255) DEFAULT '' NOT NULL,
ses_iplock varchar(39) DEFAULT '' NOT NULL,
ses_userid int(11) unsigned DEFAULT '0' NOT NULL,
ses_tstamp int(11) unsigned DEFAULT '0' NOT NULL,
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment