mdiniz Posted April 11, 2013 Posted April 11, 2013 Hi there I'm checking how the authentication and session handling is done in Prestashop 184.108.40.206, and I would appreciate some help in understanding what it is done right now. Probably a core developer or another person familiar with the code is able to help me. About authentication: we hash the password and the COOKIE_KEY (that should never change) to generate an encrypted password that is set in the database, that's clear. That's done through Tools::encrypt. I'm planning to use a more secure hash function, so ideally I would change Tools::encrypt, but it seems it's used for many other purposes, not only this password encryption. Do you have any good suggestion on how to approach that? About sessions: we don't use PHP sessions, is there a reason for that? The way sessions are handled right now is with the Cookie class, and it seems it stores everything related to the session (including the customer's password) on the client side with an encrypted cookie. Please confirm me this behaviour (I want to be sure I understood it). While this is ok, it tends to generate big cookies if I need to add more things to the session. Is there any drawback in switching the session handling to standard PHP sessions and use memcached on the server side? Maybe a security hole I can't see. Also, as we do have sessions (via cookies) that keep the customer authenticated, I don't quite get the reason for having a secure_key on the customer table. Could anyone explain why it is needed? I had a look at the code and I may have missed or misunderstood parts of it, please feel free to disagree Thank you 1 Share this post Link to post Share on other sites More sharing options...
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!Register a new account
Already have an account? Sign in here.Sign In Now