[TYPO3-dev] Encrypting fe user/session data

[Steffen Müller]

Hi.

I was looking for a mechanism to transparently encrypt session and user
data in TYPO3. I don't see a possibility to do that with current stable
TYPO3 versions.

Before implementing a solution or asking for hooks in the corresponding
places, I'd like to discuss possible approaches with you. userAuth is
really weired, so chances are that something gets screwed up.
First of all, is there already an extension/patch around which serves my
purpose?

Since TYPO3 has its own session handling independent from PHP sessions,
suhosin session encryption is not an option.

Investigation of the tslib_feUserAuth class revealed that session data
cannot be transparently encrypted without changing the core. A solution
could be to add hooks to the functions which read/write data:
tslib_feUserAuth->storeSessionData()
tslib_feUserAuth->fetchSessionData()
t3lib_userauth->writeUC()
tslib_feUserAuth->isExistingSessionRecord()

Are there any other places which handle storing/fetching session data?

So far encrypting data on a system level should not be a problem. But
what about encryption bound to the particular session and even
particular user? This would prevent decryption by recomputing sessions
of other users. [1] But how to do that for fe_users without storing the
key together with user data?

I would be happy if you share your ideas to find a solution.

[1]
http://www.idontplaydarts.com/2011/11/decrypting-suhosin-sessions-and-cookies/

-- 
cheers,
Steffen

TYPO3 Blog: http://www.t3node.com/
Twitter: @t3node - http://twitter.com/t3node