Doubts about authentication and session handling

[mdiniz]

Hi there

 

I'm checking how the authentication and session handling is done in Prestashop 1.5.3.1, and I would appreciate some help in understanding what it is done right now. Probably a core developer or another person familiar with the code is able to help me.

 

About authentication: we hash the password and the COOKIE_KEY (that should never change) to generate an encrypted password that is set in the database, that's clear. That's done through Tools::encrypt. I'm planning to use a more secure hash function, so ideally I would change Tools::encrypt, but it seems it's used for many other purposes, not only this password encryption. Do you have any good suggestion on how to approach that?

 

About sessions: we don't use PHP sessions, is there a reason for that? The way sessions are handled right now is with the Cookie class, and it seems it stores everything related to the session (including the customer's password) on the client side with an encrypted cookie. Please confirm me this behaviour (I want to be sure I understood it). While this is ok, it tends to generate big cookies if I need to add more things to the session. Is there any drawback in switching the session handling to standard PHP sessions and use memcached on the server side? Maybe a security hole I can't see.

 

Also, as we do have sessions (via cookies) that keep the customer authenticated, I don't quite get the reason for having a secure_key on the customer table. Could anyone explain why it is needed?

 

I had a look at the code and I may have missed or misunderstood parts of it, please feel free to disagree

 

Thank you

[mdiniz]

Hi there

 

I'm upping this post, as I think this matter is pretty important. If you know something about this subject, could you please shed some light on it for me? Thank you!