[TYPO3-dev] Encrypting fe user/session data
Kay Strobach
typo3 at kay-strobach.de
Fri Jan 27 18:09:40 CET 2012
Hi Steffen,
you need to store the key in the browser of the user (e.g. in a cookie),
otherwise you may use the userpass for that purpose ;)
Regards
Kay
Am 27.01.2012 17:57, schrieb Steffen Müller:
> Hi.
>
> I was looking for a mechanism to transparently encrypt session and user
> data in TYPO3. I don't see a possibility to do that with current stable
> TYPO3 versions.
>
> Before implementing a solution or asking for hooks in the corresponding
> places, I'd like to discuss possible approaches with you. userAuth is
> really weired, so chances are that something gets screwed up.
> First of all, is there already an extension/patch around which serves my
> purpose?
>
> Since TYPO3 has its own session handling independent from PHP sessions,
> suhosin session encryption is not an option.
>
> Investigation of the tslib_feUserAuth class revealed that session data
> cannot be transparently encrypted without changing the core. A solution
> could be to add hooks to the functions which read/write data:
> tslib_feUserAuth->storeSessionData()
> tslib_feUserAuth->fetchSessionData()
> t3lib_userauth->writeUC()
> tslib_feUserAuth->isExistingSessionRecord()
>
> Are there any other places which handle storing/fetching session data?
>
> So far encrypting data on a system level should not be a problem. But
> what about encryption bound to the particular session and even
> particular user? This would prevent decryption by recomputing sessions
> of other users. [1] But how to do that for fe_users without storing the
> key together with user data?
>
> I would be happy if you share your ideas to find a solution.
>
> [1]
> http://www.idontplaydarts.com/2011/11/decrypting-suhosin-sessions-and-cookies/
>
--
http://www.kay-strobach.de - Open Source Rocks
TYPO3 .... inspiring people to share!
Get involved: http://typo3.org
Answere was usefull: https://flattr.com/profile/kaystrobach
More information about the TYPO3-dev
mailing list