Skip to content

Update password stored as a SHA256 hash in cookie #952

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Update password stored as a SHA256 hash in cookie #952

wants to merge 1 commit into from

Conversation

daTourist
Copy link

Describe in detail the problem you had and how this PR fixes it

The authentication password is stored in plain-text in a cookie named password.

Some may not see this as a security issue for automatically generated passwords (although bad practice) but it is definitively an issue when setting a custom password.

Therefore switching from a plain-text stored password to a SHA256 hash is a quick first step in the right direction (aka. I agree it could be better, eg. salted hash).

I saw that there are pull requests providing other solutions (eg. #931 ) for authentication methods which were blocked by GH-857, but really think this pull request should be merged in for the next v1 release.

code-server-password-hash-poc

Is there an open issue you can link to?

Issue #515 (Issue #565)

sr229
sr229 suggested changes Sep 7, 2019
View reviewed changes
Copy link
Contributor

@sr229 sr229 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocked by GH-857. Please rebase it on v2 instead once it merges.

@sr229 sr229 added the blocked This issue cannot proceed due to external factors label Sep 12, 2019
@nhooyr
Copy link
Contributor

nhooyr commented Sep 20, 2019

This PR doesn't really add any security. Sure you can't tell what the original password is but you can still log into code-server with the hash which just acts as the password. Instead, we should hash the password server side and not store it in memory as plaintext and then hash the client side when comparing.

@nhooyr nhooyr mentioned this pull request Sep 20, 2019
Closed
@sr229
Copy link
Contributor

sr229 commented Oct 28, 2019

No activity since PR was opened. Closing to keep the PR queue clean.

@sr229 sr229 closed this Oct 28, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sr229 sr229 sr229 requested changes

@code-asher code-asher Awaiting requested review from code-asher

@kylecarbs kylecarbs Awaiting requested review from kylecarbs

Assignees
No one assigned
Labels
blocked This issue cannot proceed due to external factors
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@daTourist @nhooyr @sr229