#249 Session storage stores passwords as plaintext

3.3.4
closed-wont-fix
Jakub Vrána
Common (150)
5
2012-06-29
2012-06-04
Errol
No

Although Adminer will encrypt user passwords marked as "permanent login" in the browser cookie storage, passwords for on-going sessions are stored on the server in plain-text in the session data file.

The system should encrypt passwords as soon as they are stored in any way and decrypt them as needed.

Discussion

  • Jakub Vrána
    Jakub Vrána
    2012-06-29

    Encrypting the password in this case wouldn't be much useful because the cipher and its key would be stored close to each other.

    Also take a look on plugin password-sha1 for the case where your DB credentials != Adminer password: http://www.adminer.org/en/plugins/

     
  • Jakub Vrána
    Jakub Vrána
    2012-06-29

    • status: open --> closed-wont-fix
     
  • Errol
    Errol
    2012-06-29

    I'm not requesting anything more than obfuscation really.

    As it is now, anyone with read access to the session directory would have direct access to unencrypted passwords.

    Even just a customized variant of rotation/encoding would be better than nothing.