From fb43a92cc2aaffab42efebf025b6a12c01af8fde Mon Sep 17 00:00:00 2001 From: Shauren Date: Thu, 7 Feb 2013 16:15:23 +0100 Subject: Core/Accounts: sessionkey field in account table is only a temporary storage to pass data from authserver to worldserver and should only be used as such. Clearing sessionkey from database after a successful login to prevent possible exploits. --- sql/base/auth_database.sql | 2 +- sql/updates/auth/2013_02_07_00_auth_account.sql | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 sql/updates/auth/2013_02_07_00_auth_account.sql (limited to 'sql') diff --git a/sql/base/auth_database.sql b/sql/base/auth_database.sql index 9aaadcb55d5..cdff87c245a 100644 --- a/sql/base/auth_database.sql +++ b/sql/base/auth_database.sql @@ -26,7 +26,7 @@ CREATE TABLE `account` ( `id` int(10) unsigned NOT NULL AUTO_INCREMENT COMMENT 'Identifier', `username` varchar(32) NOT NULL DEFAULT '', `sha_pass_hash` varchar(40) NOT NULL DEFAULT '', - `sessionkey` varchar(80) NOT NULL DEFAULT '', + `sessionkey` varchar(80) NOT NULL DEFAULT '' COMMENT 'Temporary storage of session key used to pass data from authserver to worldserver', `v` varchar(64) NOT NULL DEFAULT '', `s` varchar(64) NOT NULL DEFAULT '', `email` varchar(254) NOT NULL DEFAULT '', diff --git a/sql/updates/auth/2013_02_07_00_auth_account.sql b/sql/updates/auth/2013_02_07_00_auth_account.sql new file mode 100644 index 00000000000..03bdf8cdcd5 --- /dev/null +++ b/sql/updates/auth/2013_02_07_00_auth_account.sql @@ -0,0 +1,3 @@ +UPDATE `account` SET `sessionkey`=''; +ALTER TABLE `account` +CHANGE `sessionkey` `sessionkey` varchar(80) NOT NULL DEFAULT '' COMMENT 'Temporary storage of session key used to pass data from authserver to worldserver' AFTER `sha_pass_hash`; -- cgit v1.2.3