Page MenuHomePhabricator

user_token should automatically regenerate when NULL
Closed, ResolvedPublic


Currently if a copy of your user table gets leaked out you have to regenerate the entire user_token column. I'm not even sure we have a user script to do that.

The User class code should be tweaked so that if a user_token is found to be NULL when a user is logging in a new one will be generated and the row will be updated.

This way instead of needing a maintenance script, all it will take to re-secure the database after a leak would be for the sysadmin to run UPDATE user SET user_token = NULL; and user tokens will be regenerated as needed.

Version: unspecified
Severity: normal



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 12:13 AM
bzimport set Reference to bz34237.
bzimport added a subscriber: Unknown Object (MLST).