Skip Menu |

This queue is for tickets about the Catalyst-Authentication-Store-DBIx-Class CPAN distribution.

Report information
The Basics
Id: 46656
Status: new
Priority: 0/
Queue: Catalyst-Authentication-Store-DBIx-Class

People
Owner: Nobody in particular
Requestors: kmx [...] volny.cz
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Wishlist: prevent passwords (plain or hashed) from being stored in $c->session hash
Date: Thu, 04 Jun 2009 00:28:23 +0200
To: bug-Catalyst-Authentication-Store-DBIx-Class [...] rt.cpan.org
From: kmx <kmx [...] volny.cz>
Hi, I have been dealing with the question whether it is possible to prevent users' passwords (plain or hashed) being stored in session hash as I use session::store::file and thus these quite sensitive information is stored somewhere on filesystem. I know that I have carefully set filesystem permissions to mitigate this risk, however I cannot find out any good reason why to keep password/hash in the session. After a short discussion on IRC I was pointed out to option use_userdata_from_session. However the $c->session->{'__user'} seems to have the same content (incl. password field) if I set use_userdata_from_session to 1 or 0. Some people in discussion stated that it should work slightly differently - just store user_id (not all data) in session hash - but this idea was probably left commented out in code of for_session() and from_session(). If putting the complete user record (incl. password/hash) into session is intended behaviour (maybe not) I would like to ask whether it is possible to configure somehow which columns are not copied into session hash. Based on IRC discussion I have come into conclusion that for_session method of auth::store is the right place for this sort of censorship. I mean something like setting configuration parameter: "for_session_exclude=password" tells the store not to put password column into return value of for_session. Thanks in advance for any feedback. -- kmx