How should 'customers_secret' be handled in upgrade?

**clam_man** · 14 Jul 2024, 02:16 AM

I'm moving a 1.5.6b database into a fresh install of 1.5.8 and everything has been working well so far but I noticed that 'customers_secret' was not a column in the old database and that it is not nullable in the new database. I was able to properly import the old data without issue but I was wondering if that was creating a security issue since every customer's secret is just an empty varchar(64). Does that mean customer accounts are at risk of unauthorized password resets if someone tries to enter a blank secret to reset an account's password?

**lat9** · 14 Jul 2024, 05:48 PM

Originally Posted by clam_man

I'm moving a 1.5.6b database into a fresh install of 1.5.8 and everything has been working well so far but I noticed that 'customers_secret' was not a column in the old database and that it is not nullable in the new database. I was able to properly import the old data without issue but I was wondering if that was creating a security issue since every customer's secret is just an empty varchar(64). Does that mean customer accounts are at risk of unauthorized password resets if someone tries to enter a blank secret to reset an account's password?

That new field is used only when using the admin-login-as-customer feature introduced in zc157.

**clam_man** · 15 Jul 2024, 01:19 AM

Thank you for the reply. I appreciate you clearing that up for me. I was worried and wanted to make sure before making the new site live. Looks like nothing at all to worry about then!