[TYPO3-core] RFC #9384: FE session hijacking
Martin Kutschker
masi-no at spam-typo3.org
Thu Sep 18 22:05:35 CEST 2008
Dmitry Dulepov [typo3] schrieb:
> Hi!
>
> This is SVN patch request.
>
> Type: bug
>
> Branches: trunk, 4.2, 4.1
>
> BT reference: http://bugs.typo3.org/view.php?id=9384
>
> Problem: typo3/sysext/tslib/class.tslib_feuserauth.php limits session id
> to 10 characters. Session id is a md5 value and that class just makes
> substr() thus breaking md5 integrity. If there are two users, whose IP
> addresses are from similar networks and md5 caches are similar, session
> hijacking will happen.
>
> Solution: drop 10 characters limit and use full 32 characters of md5
> like it is done for Backend.
Ok, but for the existing releases (including 4.0) I suggest setting
$hash_length to 32 (the real md5 hash size). This seems more in spirit
of a patch-level-release.
+1
Masi
More information about the TYPO3-team-core
mailing list