Subject: | Wishlist: prevent passwords (plain or hashed) from being stored in $c->session hash |
Date: | Thu, 04 Jun 2009 00:28:23 +0200 |
To: | bug-Catalyst-Authentication-Store-DBIx-Class [...] rt.cpan.org |
From: | kmx <kmx [...] volny.cz> |
Hi,
I have been dealing with the question whether it is possible to prevent
users' passwords (plain or hashed) being stored in session hash as I use
session::store::file and thus these quite sensitive information is
stored somewhere on filesystem. I know that I have carefully set
filesystem permissions to mitigate this risk, however I cannot find out
any good reason why to keep password/hash in the session.
After a short discussion on IRC I was pointed out to option
use_userdata_from_session. However the $c->session->{'__user'} seems to
have the same content (incl. password field) if I set
use_userdata_from_session to 1 or 0. Some people in discussion stated
that it should work slightly differently - just store user_id (not all
data) in session hash - but this idea was probably left commented out in
code of for_session() and from_session().
If putting the complete user record (incl. password/hash) into session
is intended behaviour (maybe not) I would like to ask whether it is
possible to configure somehow which columns are not copied into session
hash. Based on IRC discussion I have come into conclusion that
for_session method of auth::store is the right place for this sort of
censorship. I mean something like setting configuration parameter:
"for_session_exclude=password" tells the store not to put password
column into return value of for_session.
Thanks in advance for any feedback.
--
kmx