The mailing list for listmasters using Sympa

[Serge Aumont <address@concealed>]

Philip Crandall wrote:
> Hello,
>
> We need to replace the cookie secret value for our sympa installation. 
> I know that the secret is used for passwords stored in the database as 
> well as for generating session cookies. Most of our users are ldap 
> users, and I’ve figured out how to decrypt and re-encrypt the 
> passwords in the database manually. I also see that the cookie.history 
> file would need to be changed to allow sympa to start with the new 
> value. Is there anywhere else that the secret is used? Are there other 
> caveats to changing this value?
You describe correctly the process for that. Existing session will be 
break but everything else be ok.
> Additionally, we feel that an 8 byte hash probably does not provide 
> sufficient protection of the secret. Is there a specific reason for an 
> 8-byte length (in cookielib.pm)? Would it be safe to increase the 
> length to 16 or 32 bytes?
You are right but now Sympa 5.4 provide a safer authentication management :

- cookies are just a pure random. They are used to fetch session 
attributes from database, including identity (which is the user email in 
Sympa).
- cookie value is renewed at each hit so you can't use it twice.

In version 6, password are not anymore stored in a revertive encryption 
mode. The database only contain a MD5 fingerprint of the password, so if 
some kacker get the database content they will not be able to retrieve 
passwords. This way I think Sympa become much more secure.

Serge Aumont