You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Operator session tokens were stored verbatim in operator_sessions.token
(the primary key) — the same 32-byte hex value carried in the session
cookie. Anyone with read access to the database (backup, snapshot,
future SQL-injection sink) could lift every active session token and
hijack operator sessions with no further authentication.
Persist only SHA-256(token), mirroring the enrollment-token fix
(GHSA-ghmh-jhmj-wcmf) and operator_api_keys:
- models.HashSessionToken: at-rest representation of a raw token.
- Migration 019 renames operator_sessions.token -> token_hash. Existing
rows hold raw values that can no longer match a hashed lookup, so they
become unreachable and the operator re-authenticates — acceptable for
a 24h-TTL session.
- The store hashes the token on insert and on every lookup
(Get/GetPendingTwoFactor/Promote/Delete), so callers keep passing the
raw cookie value; the raw token never touches disk.
Closes GHSA-q4vm-pq3q-8wgq.
0 commit comments