Core/Accounts: sessionkey field in account table is only a temporary storage to pass data from authserver to worldserver and should only be used as such. Clearing sessionkey from database after a successful login to prevent possible exploits.

2 files changed, 4 insertions, 1 deletions

diff --git a/sql/base/auth_database.sql b/sql/base/auth_database.sql
index 9aaadcb55d5..cdff87c245a 100644
--- a/sql/base/auth_database.sql
+++ b/sql/base/auth_database.sql
@@ -26,7 +26,7 @@ CREATE TABLE `account` (
   `id` int(10) unsigned NOT NULL AUTO_INCREMENT COMMENT 'Identifier',
   `username` varchar(32) NOT NULL DEFAULT '',
   `sha_pass_hash` varchar(40) NOT NULL DEFAULT '',
-  `sessionkey` varchar(80) NOT NULL DEFAULT '',
+  `sessionkey` varchar(80) NOT NULL DEFAULT '' COMMENT 'Temporary storage of session key used to pass data from authserver to worldserver',
   `v` varchar(64) NOT NULL DEFAULT '',
   `s` varchar(64) NOT NULL DEFAULT '',
   `email` varchar(254) NOT NULL DEFAULT '',
diff --git a/sql/updates/auth/2013_02_07_00_auth_account.sql b/sql/updates/auth/2013_02_07_00_auth_account.sql
new file mode 100644
index 00000000000..03bdf8cdcd5
--- /dev/null
+++ b/sql/updates/auth/2013_02_07_00_auth_account.sql
@@ -0,0 +1,3 @@
+UPDATE `account` SET `sessionkey`='';
+ALTER TABLE `account`
+CHANGE `sessionkey` `sessionkey` varchar(80) NOT NULL DEFAULT '' COMMENT 'Temporary storage of session key used to pass data from authserver to worldserver' AFTER `sha_pass_hash`;