[TYPO3-core] FYI: Added feature #11314: Extract functionality to create session ID from t3lib_userAuth::start()
Oliver Hader
oliver at typo3.org
Fri Jun 12 10:24:22 CEST 2009
Hi Masi,
Martin Kutschker schrieb:
> Francois Suter schrieb:
>> Hi,
>>
>>> Problem:
>>> The lenth of the "hash" (session ID) is fixed to a maximum of 32 chars.
>>> If another hash-function shall be used to create the session ID, e.g.
>>> SHA1, it won't work.
>> Watch out, the session ID is written to the sessions tables (fe and be)
>> when a user logs in and the fields are varchar(32).
>
> Besides that, why do we need a max. length for the hash, anyway? I fear
> it dates back from the time when Kasper liked to truncate md5-hashes to
> "save bytes" (or whatever his reasons were).
The comment for the hash_length variable says the following:
| The ident-hash is normally 32 characters and should be! But if you are
| making sites for WAP-devices og other lowbandwidth stuff, you may
| shorten the length. Never let this value drop below 6. A length of 6
| would give you more than 16 mio possibilities.
Thus, I think it's okay to have this hash-length information. But
there's no requirement to enforce the session ID to have 6 to 32
characters. If an extension wants to change this behaviour it should be
fine and the developer has to take care about modifying the fields in
the sessions table (e.g. VARCHAR(40)).
Since I don't see a real need for a max. hash length, I'd like to remove
that check completely (see attached patch).
What do you think?
olly
--
Oliver Hader
TYPO3 Release Manager 4.3
More information about the TYPO3-team-core
mailing list