Page MenuHomePhabricator

Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole

Authored by epriestley on Nov 15 2018, 1:31 PM.



Ref T6960. Ref T13217. Ref T13216. Depends on D19811. Use the recently-introduced "%P" conversion ("Password/Secret") to load sessions in SessionEngine.

This secret isn't critical to protect (it's the hash of the actual secret and not useful to attackers on its own) but it shows up on every page in DarkConsole and is an obvious case where %P is a more appropriate conversion.

Test Plan

Note "*****" in the middle of the output here, instead of a session key hash:

Diff Detail

rP Phabricator
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

epriestley created this revision.Nov 15 2018, 1:31 PM
epriestley requested review of this revision.Nov 15 2018, 1:33 PM
amckinley accepted this revision.Nov 16 2018, 7:23 PM
This revision is now accepted and ready to land.Nov 16 2018, 7:23 PM
This revision was automatically updated to reflect the committed changes.