Jump to content

Doubts about authentication and session handling


mdiniz

Recommended Posts

Hi there

 

I'm checking how the authentication and session handling is done in Prestashop 1.5.3.1, and I would appreciate some help in understanding what it is done right now. Probably a core developer or another person familiar with the code is able to help me.

 

About authentication: we hash the password and the COOKIE_KEY (that should never change) to generate an encrypted password that is set in the database, that's clear. That's done through Tools::encrypt. I'm planning to use a more secure hash function, so ideally I would change Tools::encrypt, but it seems it's used for many other purposes, not only this password encryption. Do you have any good suggestion on how to approach that?

 

About sessions: we don't use PHP sessions, is there a reason for that? The way sessions are handled right now is with the Cookie class, and it seems it stores everything related to the session (including the customer's password) on the client side with an encrypted cookie. Please confirm me this behaviour (I want to be sure I understood it). While this is ok, it tends to generate big cookies if I need to add more things to the session. Is there any drawback in switching the session handling to standard PHP sessions and use memcached on the server side? Maybe a security hole I can't see.

 

Also, as we do have sessions (via cookies) that keep the customer authenticated, I don't quite get the reason for having a secure_key on the customer table. Could anyone explain why it is needed?

 

I had a look at the code and I may have missed or misunderstood parts of it, please feel free to disagree :)

 

Thank you

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...