|author||Yorhel <email@example.com>||2014-10-16 13:46:23 +0200|
|committer||Yorhel <firstname.lastname@example.org>||2014-10-16 13:46:23 +0200|
Hash session tokens with SHA-1 when storing in DB
This ensures that, if an attacker evers gets read access to the database, he will not be able to compromise any accounts. SHA-1 suffices here, because the data being hashed is a random 20 byte string. The search space is so damn large that you can't sanely brute force it, nor are rainbow tables any use at that scale. They're not salted. The password reset tokens are also hashed in the database and do include salt, but I've no idea why we did that.
Diffstat (limited to 'util')
1 files changed, 6 insertions, 0 deletions
diff --git a/util/updates/update_2.24.sql b/util/updates/update_2.24.sql
new file mode 100644
@@ -0,0 +1,6 @@
+-- Session tokens are stored in the database as a SHA-1 on the actual token
+-- now. Note that this query should be executed only once, otherwise any
+-- existing sessions will be invalidated.
+-- CREATE EXTENSION pgcrypto;
+UPDATE sessions SET token = digest(token, 'sha1');
+-- DROP EXTENSION pgcrypto;