How should 'customers_secret' be handled in upgrade?
I'm moving a 1.5.6b database into a fresh install of 1.5.8 and everything has been working well so far but I noticed that 'customers_secret' was not a column in the old database and that it is not nullable in the new database. I was able to properly import the old data without issue but I was wondering if that was creating a security issue since every customer's secret is just an empty varchar(64). Does that mean customer accounts are at risk of unauthorized password resets if someone tries to enter a blank secret to reset an account's password?
Re: How should 'customers_secret' be handled in upgrade?
Quote:
Originally Posted by
clam_man
I'm moving a 1.5.6b database into a fresh install of 1.5.8 and everything has been working well so far but I noticed that 'customers_secret' was not a column in the old database and that it is not nullable in the new database. I was able to properly import the old data without issue but I was wondering if that was creating a security issue since every customer's secret is just an empty varchar(64). Does that mean customer accounts are at risk of unauthorized password resets if someone tries to enter a blank secret to reset an account's password?
That new field is used only when using the admin-login-as-customer feature introduced in zc157.
Re: How should 'customers_secret' be handled in upgrade?
Thank you for the reply. I appreciate you clearing that up for me. I was worried and wanted to make sure before making the new site live. Looks like nothing at all to worry about then!
