diff options
author | Yorhel <git@yorhel.nl> | 2014-10-16 13:46:23 +0200 |
---|---|---|
committer | Yorhel <git@yorhel.nl> | 2014-10-16 13:46:23 +0200 |
commit | fab1253dbb4e7064c4c29fd4b4b34d6cd1c6734c (patch) | |
tree | ced71fabb224616e1b430a009be9844c9686f020 /util | |
parent | 5faaa1f3b1dfc53f59e7f748bc23048f48b274d2 (diff) |
Hash session tokens with SHA-1 when storing in DB
This ensures that, if an attacker evers gets read access to the
database, he will not be able to compromise any accounts. SHA-1 suffices
here, because the data being hashed is a random 20 byte string. The
search space is so damn large that you can't sanely brute force it, nor
are rainbow tables any use at that scale.
They're not salted. The password reset tokens are also hashed in the
database and do include salt, but I've no idea why we did that.
Diffstat (limited to 'util')
-rw-r--r-- | util/updates/update_2.24.sql | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/util/updates/update_2.24.sql b/util/updates/update_2.24.sql new file mode 100644 index 00000000..04d946f1 --- /dev/null +++ b/util/updates/update_2.24.sql @@ -0,0 +1,6 @@ +-- Session tokens are stored in the database as a SHA-1 on the actual token +-- now. Note that this query should be executed only once, otherwise any +-- existing sessions will be invalidated. +-- CREATE EXTENSION pgcrypto; +UPDATE sessions SET token = digest(token, 'sha1'); +-- DROP EXTENSION pgcrypto; |