[Tickets #11566] Re: when setting session.hash_function to sha512, horde can't auth/decrypt anymore
bugs at horde.org
bugs at horde.org
Mon Oct 22 18:42:53 UTC 2012
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/11566
------------------------------------------------------------------------------
Ticket | 11566
Updated By | Michael Slusarz <slusarz at horde.org>
Summary | when setting session.hash_function to sha512, horde
| can't auth/decrypt anymore
Queue | Horde Framework Packages
Version | FRAMEWORK_4
Type | Bug
State | Feedback
Priority | 2. Medium
Milestone |
Patch |
Owners | Horde Developers
------------------------------------------------------------------------------
Michael Slusarz <slusarz at horde.org> (2012-10-22 12:42) wrote:
> Using the session ID is less safe then generating our own
> cookie-based key anyway, so it probably doesn't matter anymore if we
> cut the session ID to 56 bytes maximum either. Opinions?
I believe this portion of the discussion is irrelevant, since the
encryption key at issue here could theoretically be *any* key:
Horde_Secret#read() and Horde_Secret#write() accept any encryption key.
But I agree that the solution is to simply limit whatever key is given
to a maximum of 56 chars and clearly indicate this in the API
documentation ("Only the first 56 string characters in the
[de|en]cryption key will be used.")
More information about the bugs
mailing list