[Catalyst] Storing the hash of the session token with
C::P::Session::Store::File
Octavian Rasnita
orasnita at gmail.com
Sun Nov 18 13:03:47 GMT 2012
Hi,
I read a good suggestion:
"And DO NOT STORE THE PERSISTENT LOGIN COOKIE (TOKEN) IN YOUR DATABASE, ONLY
A HASH OF IT! The login token is Password Equivalent, so if an attacker got
his hands on your database, he/she could use the tokens to log in to any
account, just as if they were cleartext login-password combinations.
Therefore, use strong salted hashing (bcrypt / phpass) when storing
persistent login tokens."
I've seen that C::P::Session::Store::File stores the token of the session on
the server, and not only its hash.
Is there a way to configure this plugin to store just the hash of the token
on the server?
--Octavian
More information about the Catalyst
mailing list