[Tickets #11566] Re: when setting session.hash_function to sha512, horde can't auth/decrypt anymore
bugs at horde.org
bugs at horde.org
Mon Oct 22 11:37:40 UTC 2012
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/11566
------------------------------------------------------------------------------
Ticket | 11566
Updated By | Jan Schneider <jan at horde.org>
Summary | when setting session.hash_function to sha512, horde
| can't auth/decrypt anymore
Queue | Horde Framework Packages
Version | FRAMEWORK_4
Type | Bug
-State | Unconfirmed
+State | Feedback
-Priority | 3. High
+Priority | 2. Medium
Milestone |
Patch |
-Owners |
+Owners | Horde Developers
------------------------------------------------------------------------------
Jan Schneider <jan at horde.org> (2012-10-22 13:37) wrote:
The reason is that we use the session ID as a fallback key when
encrypting information with Horde_Secret if cookies are disabled.
Since we use Crypt_Blowfish in the background, we need to limit this
key to 56 bytes. Using the session ID is less safe then generating our
own cookie-based key anyway, so it probably doesn't matter anymore if
we cut the session ID to 56 bytes maximum either. Opinions?
More information about the bugs
mailing list