Disable hashing of ses_id possible?

Hi Community,

please excuse my bad english ;-).
We upgraded our Typo-Server from 9.5.7 to 9.5.31.
Since then, the ses_id is no longer equal to fe_typo_user in the $_COOKIES global.

We have a lot of third-party apps, which use the typo3-Frontend-Login.
Our SQL-Selects: “…where ses_id=’$_COOKIE[fe_typo_user]’” won´t work anymore.

Is there a way to hash $_COOKIE[fe_typo_user] to get the same value as stored in ses_id.
Or can we disable the hashing?

Thanks in advance!


Sorry for the late reply, I did not check talk.typo3.org frequently…

The change you referring to was part of a security fix, which is described at TYPO3-CORE-SA-2020-011: Cleartext storage of session identifier
Besides that, I also demonstrated a potential attack technically during the TYPO3 Online Days 2021, which can be watched again on YouTube at TYPO3 Online Days 2021 - #T3OD21 - Day 2 - June 30, 2021 - YouTube

The hashing implementation for the database component is show at [SECURITY] Protect persisted session IDs from being used directly · TYPO3/typo3@dc26a4a · GitHub

For security reasons (as explained in the resources above), it is not possible to deactivate hashing (via HMAC) of the persisted identifier.

Hi Oliver,

thank you for the information!