Compliments on your recent Additions

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
Fyrn
Registered User
Posts: 2
Joined: Sun Aug 29, 2004 3:08 pm

Compliments on your recent Additions

Post by Fyrn »

I've been using the CVS of Olympus on a private board for quite some time now, always keeping an eye on changes since I use phpBB to integrate a forum in my own CMS.

They share the Userbase for example, and since I want people to be able to log in everywhere, I have a "wrapper" that sets the appropriate cookies and communicates with phpBB (adding the session, etc.) on a login.

I've just recently, again, thought that the way of saving the password hash in a cookie was way too insecure and thought up a way to make it secure. After checking out the most recent CVS, I figured my implementation wasn't working anymore and autologin didn't work, so I checked the cookies, and HOORAY, you've implemented the exact thing that I thought up (storing a key to be set in the cookie, instead of the real Password). I would've suggested that somewhen, but oh well.

A small suggestion for it though: everytime a vanilla Session is created with a key, let it change the key and set a new cookie. That way, even if another XSS vuln. is found, the cookie retrieved won't be of much use since the original User probably logs in again without transmitting his new cookie to the attacker and receives a new key, rendering the old key the attacker received invalid. Unless you've already done that, which I haven't seen when looking at the code.

You've also inspired me to do an Events System with your Post and I have implemented something very close to what you seem to have begun to implement now ;)

And no, I'm serious. I haven't seen yours until mine was done. Brilliant Minds think alike, I guess. (I like to complement myself a lot, yes).

Anyway, nice work, keep it up and bring Olympus on already. I'll be using it anyway. Beta Software keeps the Scriptkiddies away too (No Googling for "phpBB3 exploit", heh) ;)
User avatar
Viperal2
Registered User
Posts: 223
Joined: Tue Jun 08, 2004 9:28 pm
Contact:

Re: Compliments on your recent Additions

Post by Viperal2 »

Fyrn wrote: A small suggestion for it though: everytime a vanilla Session is created with a key, let it change the key and set a new cookie. That way, even if another XSS vuln. is found, the cookie retrieved won't be of much use since the original User probably logs in again without transmitting his new cookie to the attacker and receives a new key, rendering the old key the attacker received invalid. Unless you've already done that, which I haven't seen when looking at the code.
This is already implemented.

Looks like you haven't done a CVS update in a long time, it's been there for some time now.
Fyrn wrote: You've also inspired me to do an Events System with your Post and I have implemented something very close to what you seem to have begun to implement now ;)
What post, what do you mean have begun to implement. Maybe my I need to do an CVS update.
What is The Viperal ?

http://developer.berlios.de/projects/viperals/" target="_blank
Fyrn
Registered User
Posts: 2
Joined: Sun Aug 29, 2004 3:08 pm

Re: Compliments on your recent Additions

Post by Fyrn »

I usually update whenever I have the time to look at the code, might've been a month or more until I updated yesterday.

The Post I was talking about, is the community coding projects thing, where an Event System was mentioned. That spawned the idea for me. Well, that, and the Event System World of Warcraft is using in the AddOns (it's just registering an event, registering for an event, calling the event for all registered ..you get it, nothing complicated).

It seems to be making it's way into the phpBB Source now too.

Code: Select all

//				global $evt;
//				$evt->trigger(EVT_NEW_SESSION, $this->data); 
Post Reply