#249 Session storage stores passwords as plaintext

Common (150)

Although Adminer will encrypt user passwords marked as "permanent login" in the browser cookie storage, passwords for on-going sessions are stored on the server in plain-text in the session data file.

The system should encrypt passwords as soon as they are stored in any way and decrypt them as needed.


  • Jakub Vrána

    Jakub Vrána - 2012-06-29

    Encrypting the password in this case wouldn't be much useful because the cipher and its key would be stored close to each other.

    Also take a look on plugin password-sha1 for the case where your DB credentials != Adminer password: http://www.adminer.org/en/plugins/

  • Jakub Vrána

    Jakub Vrána - 2012-06-29
    • status: open --> closed-wont-fix
  • Anonymous - 2012-06-29

    I'm not requesting anything more than obfuscation really.

    As it is now, anyone with read access to the session directory would have direct access to unencrypted passwords.

    Even just a customized variant of rotation/encoding would be better than nothing.


Log in to post a comment.