Urgent : truncate sessions while changing cookies

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
jmpoure
Registered User
Posts: 81
Joined: Sun Mar 11, 2007 9:42 am

Urgent : truncate sessions while changing cookies

Post by jmpoure »

Dear friends,

My forum (3000 users, 400.000 posts) got hacked after I changed cookie name and path.
Someone became admin and gave admin rights to all users.

I had no idea of PhpBB internals and did not know that I had to truncate (drop all records) in the session tables.

Could it become an automatic feature of PhpBB ?
When changing cookie name, all sessions should be reset.
Under postgresql, you can use "truncate table_name" to clear all records in a table.

I am probably not the only one in this case.
I opened a bug, but people said it was a support issue.

False !! It is a clear bug.

Kind regards,
JM

User avatar
A_Jelly_Doughnut
Registered User
Posts: 1780
Joined: Wed Jun 04, 2003 4:23 pm

Re: Urgent : truncate sessions while changing cookies

Post by A_Jelly_Doughnut »

jmpoure wrote:Dear friends,

My forum (3000 users, 400.000 posts) got hacked after I changed cookie name and path.
Someone became admin and gave admin rights to all users.
Cookies simply don't work that way. I can't deny that it happened, but it was not through this avenue.
A_Jelly_Doughnut

Post Reply