Hi Community,
please excuse my bad english ;-).
We upgraded our Typo-Server from 9.5.7 to 9.5.31.
Since then, the ses_id is no longer equal to fe_typo_user in the $_COOKIES global.
We have a lot of third-party apps, which use the typo3-Frontend-Login.
Our SQL-Selects: “…where ses_id=’$_COOKIE[fe_typo_user]’” won´t work anymore.
Is there a way to hash $_COOKIE[fe_typo_user] to get the same value as stored in ses_id.
Or can we disable the hashing?
Thanks in advance!
Marc
Sorry for the late reply, I did not check talk.typo3.org frequently…
The change you referring to was part of a security fix, which is described at TYPO3-CORE-SA-2020-011: Cleartext storage of session identifier
Besides that, I also demonstrated a potential attack technically during the TYPO3 Online Days 2021, which can be watched again on YouTube at TYPO3 Online Days 2021 - #T3OD21 - Day 2 - June 30, 2021 - YouTube
The hashing implementation for the database component is show at [SECURITY] Protect persisted session IDs from being used directly · TYPO3/typo3@dc26a4a · GitHub
For security reasons (as explained in the resources above), it is not possible to deactivate hashing (via HMAC) of the persisted identifier.
Hi Oliver,
thank you for the information!
Greets
Marc