HomePhabricator

Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole

Authored by epriestley on Nov 15 2018, 1:28 PM.

Description

Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole

Summary:
Ref T6960. Ref T13217. Ref T13216. Depends on D19811. Use the recently-introduced "%P" conversion ("Password/Secret") to load sessions in SessionEngine.

This secret isn't critical to protect (it's the hash of the actual secret and not useful to attackers on its own) but it shows up on every page in DarkConsole and is an obvious case where %P is a more appropriate conversion.

Test Plan:
Note "*****" in the middle of the output here, instead of a session key hash:

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13217, T13216, T6960

Differential Revision: https://secure.phabricator.com/D19812