switched from HMAC-MD5 to HMAC-SHA1 for signed cookies

mojolicious · Jun 14, 2012 · 6c2fbd2 · 6c2fbd2
1 parent ff97196
commit 6c2fbd2
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 8 deletions.
diff --git a/Changes b/Changes
@@ -1,6 +1,7 @@
 
 3.0  2012-06-14
   - Code name "Rainbow", this is a major release.
+  - Switched from HMAC-MD5 to HMAC-SHA1 for signed cookies.
   - Added support for new HTTP status code.
   - Renamed Mojo::CookieJar to Mojo::UserAgent::CookieJar.
   - Improved message parser performance slightly.
@@ -1909,7 +1910,7 @@
   - Fixed path detection bug in generated scripts. (merlyn)
   - Fixed a small redirect bug in Mojo::Client.
   - Fixed a route callback inheritance bug.
-  - Fixed a security problem in the HMAC MD5 implementation. (vti)
+  - Fixed a security problem in the HMAC-MD5 implementation. (vti)
 
 0.999926  2010-06-07
   - Added version requirement for all optional dependencies.

diff --git a/lib/Mojolicious/Controller.pm b/lib/Mojolicious/Controller.pm
@@ -409,7 +409,7 @@ sub signed_cookie {
   # Response cookie
   my $secret = $self->app->secret;
   return $self->cookie($name,
-    "$value--" . Mojo::Util::hmac_md5_sum($value, $secret), $options)
+    "$value--" . Mojo::Util::hmac_sha1_sum($value, $secret), $options)
     if defined $value;
 
   # Request cookies
@@ -421,7 +421,7 @@ sub signed_cookie {
       my $sig = $1;
 
       # Verified
-      my $check = Mojo::Util::hmac_md5_sum $value, $secret;
+      my $check = Mojo::Util::hmac_sha1_sum $value, $secret;
       if (Mojo::Util::secure_compare $sig, $check) { push @results, $value }
 
       # Bad cookie

diff --git a/lib/Mojolicious/Guides/Growing.pod b/lib/Mojolicious/Guides/Growing.pod
@@ -109,10 +109,10 @@ Traditionally all session data was stored on the server-side and only session
 ids were exchanged between browser and web server in the form of cookies.
 
   HTTP/1.1 200 OK
-  Set-Cookie: session=base64(hmac-md5(json($session)))
+  Set-Cookie: session=base64(hmac-sha1(json($session)))
 
 In L<Mojolicious> however we are taking this concept one step further by
-storing everything in C<HMAC-MD5> signed cookies, which is more compatible
+storing everything in C<HMAC-SHA1> signed cookies, which is more compatible
 with the REST philosophy and reduces infrastructure requirements.
 
 =head2 Test Driven Development
@@ -349,7 +349,7 @@ L<Mojolicious/"secret">.
 
   app->secret('Mojolicious rocks');
 
-This passphrase is used by the C<HMAC-MD5> algorithm to make signed cookies
+This passphrase is used by the C<HMAC-SHA1> algorithm to make signed cookies
 secure and can be changed at any time to invalidate all existing sessions.
 
   $self->session(user => 'sri');
@@ -373,7 +373,7 @@ method L<Mojolicious::Controller/"flash">.
   $self->flash(message => 'Everything is fine.');
   $self->redirect_to('goodbye');
 
-Just remember that everything is stored in C<HMAC-MD5> signed cookies, so
+Just remember that everything is stored in C<HMAC-SHA1> signed cookies, so
 there is usually a 4096 byte limit, depending on the browser.
 
 =head2 Final prototype

diff --git a/t/mojolicious/group_lite_app.t b/t/mojolicious/group_lite_app.t
@@ -253,7 +253,7 @@ ok $t->tx->res->cookie('mojolicious')->httponly,
 # GET /bridge2stash (broken session cookie)
 $t->reset_session;
 my $session = b("☃☃☃☃☃")->encode->b64_encode('');
-my $hmac    = $session->clone->hmac_md5_sum($t->app->secret);
+my $hmac    = $session->clone->hmac_sha1_sum($t->app->secret);
 $t->get_ok('/bridge2stash' => {Cookie => "mojolicious=$session--$hmac"})
   ->status_is(200)->content_is("stash too!!!!!!!\n");