Hashed Sessions

Introduction

Drupal 7 core stores session ids as is. This allows anyone with read only access to the database (via SQL-i) to take a session id, present it in a session cookie to Drupal and take over the session.

This module contains a patched core session.inc that only stores hashes of the session id. Attackers cannot offer this hash as a valid session id, nor derive the session id from the hash, nor realistically guess a string that hashes to the same value.

Drupal 8 version

This module has no use on Drupal 8, 9 or 10, because core already stores hashed session identifiers.

Installation

1. Put the site in maintenance mode
2. Replace the session handler in settings.php (see below)
3. Login again
4. Enable the module, existing session ids will now be hashed
5. Remove the site from maintenance mode

Users who access the site between step 3 and the end of step 4 may find themselves logged out. Step 3 can be skipped if drush is used to enable the module.

Replacing the session handler

To replace the session handler, point the configuration variable session_inc to the file hashed_sessions.session.inc.

As an example, one would add the following to the active settings.php:

$conf['session_inc'] = 'sites/all/modules/contrib/hashed_sessions/inc/hashed_sessions.session.inc';

Uninstallation

1. Put the site in maintenance mode
2. Remove the $conf['session_inc'] assignment in settings.php
3. Login and disable the module
4. Remove the site from maintenance mode

All users will lose their association with their current session. Authenticated users will be logged out, anonymous users will lose session information such as their shopping cart.

Credits

The module uses a backport of the Drupal 8 hashed session id patch from #2164025.

• Original patch by Zsolt Tasnadi and Peter Wolanin
• Backport by Zsolt Tasnadi

Module by LimoenGroen to harden Drupal voor Gemeenten installations.