Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update session ids on update #16814

Merged
merged 5 commits into from Nov 26, 2020
Merged

Update session ids on update #16814

merged 5 commits into from Nov 26, 2020

Conversation

sgiehl
Copy link
Member

@sgiehl sgiehl commented Nov 26, 2020

Description:

Instead of updating every single session we could also try UPDATE session SET id=SHA2(id, 512), but that method might be unavailable if mysql is not configured for SSL, causing the update to fail maybe. So guess it's better this way.

fixes #16798

Review

  • Functional review done
  • Usability review done (is anything maybe unclear or think about anything that would cause people to reach out to support)
  • Security review done see checklist
  • Code review done
  • Tests were added if useful/possible
  • Reviewed for breaking changes
  • Developer changelog updated if needed
  • Documentation added if needed
  • Existing documentation updated if needed

@sgiehl sgiehl added not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. Needs Review PRs that need a code review labels Nov 26, 2020
@sgiehl sgiehl added this to the 4.0.1 milestone Nov 26, 2020
tsteur
tsteur reviewed Nov 26, 2020
View reviewed changes
core/Updates/4.0.0-b1.php Outdated
$sessions = Db::fetchAll('SELECT id from ' . Common::prefixTable('session'));

foreach ($sessions as $session) {
$migrations[] = $this->migration->db->boundSql(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this would actually print sessionId hashes on the screen... of course they are hashed but it may still not be ideal. Matomo may be in that state for a while and people could see them ... it's very low risk though that it 1) becomes visible and 2) someone either has the salt or tries to brute force them (eg a sys admin who is updating Matomo could have the salt but no access to the DB and now could technically brute force the original session id) . If someone was to downgrade later to Matomo 3 then it become an actual sessionId though.

image

I wonder should we maybe only do this for session Ids that are > 190 characters? In all other cases we could simply log out users? and these we could even simply delete?

Or we simply execute the query in the background similar to the delete from session.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in any case we should not do this for any 128 character session as this indicates the sessionId might be already hashed

@tsteur
only delete long sessionIds, migrate only sessionIds that dont look h…
bbe9126 
…ashed yet, no longer execute query on get migrations
tsteur
tsteur reviewed Nov 26, 2020
View reviewed changes
core/Updates/4.0.0-b1.php
@@ -252,6 +257,16 @@ public function getMigrations(Updater $updater)

public function doUpdate(Updater $updater)
{
$salt = SettingsPiwik::getSalt();
Copy link
Member

@tsteur tsteur Nov 26, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we only execute it as part of doUpdate... which should be fine. in worst case someone gets logged out

@tsteur
Copy link
Member

tsteur commented Nov 26, 2020

Note: this test fails but also does in 4.x https://travis-ci.com/github/matomo-org/matomo/jobs/449214044#L1438

@tsteur tsteur merged commit 8417ac0 into 4.x-dev Nov 26, 2020
@tsteur tsteur deleted the fixsessionupdate branch November 26, 2020 21:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tsteur tsteur tsteur left review comments

Assignees
No one assigned
Labels
Needs Review PRs that need a code review not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Projects
None yet
Milestone
4.0.1
Development

Successfully merging this pull request may close these issues.

Error upgrading db while upgrading to 4.0.0-b1 (session update fails)
2 participants
@sgiehl @tsteur