[M-20] sessions.id (raw cookie value) included in GDPR export

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 2 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: MEDIUM

Location: src/Controllers/AccountController.php:744-746

Bug: Export file contains live session identifiers.

Fix: Exclude session id or hash before inclusion.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:28pm

Resolved.

Resolved as part of the C-8 fix. The GDPR export no longer includes raw session ids — each session row now returns a SHA-256-derived session_fingerprint instead:

SELECT SUBSTRING(SHA2(id, 256), 1, 12) AS session_fingerprint, ...

See thread #1664 for the full diff.

Locking this thread.

Related Discussions

[L-8] checkUsername session-based limit near-useless without cookies
Security Issues · 0 replies · 0 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy