[adminer-tracker] [ adminer-Bugs and Features-3531952 ] Session storage stores passwords as plainte
Database management in a single PHP file
Brought to you by:
jakubvrana
From: SourceForge.net <no...@so...> - 2012-06-29 20:26:20
|
Bugs and Features item #3531952, was opened at 2012-06-04 10:07 Message generated for change (Comment added) made by jakubvrana You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=1127745&aid=3531952&group_id=264133 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Common Group: 3.3.4 Status: Open Resolution: None Priority: 5 Private: No Submitted By: Errol (esayre) Assigned to: Jakub Vrána (jakubvrana) Summary: Session storage stores passwords as plaintext Initial Comment: Although Adminer will encrypt user passwords marked as "permanent login" in the browser cookie storage, passwords for on-going sessions are stored on the server in plain-text in the session data file. The system should encrypt passwords as soon as they are stored in any way and decrypt them as needed. ---------------------------------------------------------------------- >Comment By: Jakub Vrána (jakubvrana) Date: 2012-06-29 13:26 Message: Encrypting the password in this case wouldn't be much useful because the cipher and its key would be stored close to each other. Also take a look on plugin password-sha1 for the case where your DB credentials != Adminer password: http://www.adminer.org/en/plugins/ ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=1127745&aid=3531952&group_id=264133 |