From fab1253dbb4e7064c4c29fd4b4b34d6cd1c6734c Mon Sep 17 00:00:00 2001
From: Yorhel <git@yorhel.nl>
Date: Thu, 16 Oct 2014 13:46:23 +0200
Subject: Hash session tokens with SHA-1 when storing in DB

This ensures that, if an attacker evers gets read access to the
database, he will not be able to compromise any accounts. SHA-1 suffices
here, because the data being hashed is a random 20 byte string. The
search space is so damn large that you can't sanely brute force it, nor
are rainbow tables any use at that scale.

They're not salted. The password reset tokens are also hashed in the
database and do include salt, but I've no idea why we did that.
---
 util/updates/update_2.24.sql | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 util/updates/update_2.24.sql

(limited to 'util')

diff --git a/util/updates/update_2.24.sql b/util/updates/update_2.24.sql
new file mode 100644
index 00000000..04d946f1
--- /dev/null
+++ b/util/updates/update_2.24.sql
@@ -0,0 +1,6 @@
+-- Session tokens are stored in the database as a SHA-1 on the actual token
+-- now.  Note that this query should be executed only once, otherwise any
+-- existing sessions will be invalidated.
+-- CREATE EXTENSION pgcrypto;
+UPDATE sessions SET token = digest(token, 'sha1');
+-- DROP EXTENSION pgcrypto;
-- 
cgit v1.2.3