[TYPO3-core] FYI: Added feature #11314: Extract functionality to create session ID from t3lib_userAuth::start()
Oliver Hader
oliver at typo3.org
Fri Jun 12 12:21:58 CEST 2009
FYI: Committed as follow-up to SVN Trunk (rev. 5582)
olly
Oliver Hader schrieb:
> Hi Masi,
>
> Martin Kutschker schrieb:
>> Francois Suter schrieb:
>>> Hi,
>>>
>>>> Problem:
>>>> The lenth of the "hash" (session ID) is fixed to a maximum of 32 chars.
>>>> If another hash-function shall be used to create the session ID, e.g.
>>>> SHA1, it won't work.
>>> Watch out, the session ID is written to the sessions tables (fe and be)
>>> when a user logs in and the fields are varchar(32).
>> Besides that, why do we need a max. length for the hash, anyway? I fear
>> it dates back from the time when Kasper liked to truncate md5-hashes to
>> "save bytes" (or whatever his reasons were).
>
> The comment for the hash_length variable says the following:
> | The ident-hash is normally 32 characters and should be! But if you are
> | making sites for WAP-devices og other lowbandwidth stuff, you may
> | shorten the length. Never let this value drop below 6. A length of 6
> | would give you more than 16 mio possibilities.
>
> Thus, I think it's okay to have this hash-length information. But
> there's no requirement to enforce the session ID to have 6 to 32
> characters. If an extension wants to change this behaviour it should be
> fine and the developer has to take care about modifying the fields in
> the sessions table (e.g. VARCHAR(40)).
>
> Since I don't see a real need for a max. hash length, I'd like to remove
> that check completely (see attached patch).
>
> What do you think?
>
> olly
--
Oliver Hader
TYPO3 Release Manager 4.3
More information about the TYPO3-team-core
mailing list