Compliments on your recent Additions

[Fyrn]

I've been using the CVS of Olympus on a private board for quite some time now, always keeping an eye on changes since I use phpBB to integrate a forum in my own CMS.

They share the Userbase for example, and since I want people to be able to log in everywhere, I have a "wrapper" that sets the appropriate cookies and communicates with phpBB (adding the session, etc.) on a login.

I've just recently, again, thought that the way of saving the password hash in a cookie was way too insecure and thought up a way to make it secure. After checking out the most recent CVS, I figured my implementation wasn't working anymore and autologin didn't work, so I checked the cookies, and HOORAY, you've implemented the exact thing that I thought up (storing a key to be set in the cookie, instead of the real Password). I would've suggested that somewhen, but oh well.

A small suggestion for it though: everytime a vanilla Session is created with a key, let it change the key and set a new cookie. That way, even if another XSS vuln. is found, the cookie retrieved won't be of much use since the original User probably logs in again without transmitting his new cookie to the attacker and receives a new key, rendering the old key the attacker received invalid. Unless you've already done that, which I haven't seen when looking at the code.

You've also inspired me to do an Events System with your Post and I have implemented something very close to what you seem to have begun to implement now ;)

And no, I'm serious. I haven't seen yours until mine was done. Brilliant Minds think alike, I guess. (I like to complement myself a lot, yes).

Anyway, nice work, keep it up and bring Olympus on already. I'll be using it anyway. Beta Software keeps the Scriptkiddies away too (No Googling for "phpBB3 exploit", heh) ;)

[Viperal2]

A small suggestion for it though: everytime a vanilla Session is created with a key, let it change the key and set a new cookie. That way, even if another XSS vuln. is found, the cookie retrieved won't be of much use since the original User probably logs in again without transmitting his new cookie to the attacker and receives a new key, rendering the old key the attacker received invalid. Unless you've already done that, which I haven't seen when looking at the code.

This is already implemented.

Looks like you haven't done a CVS update in a long time, it's been there for some time now.

You've also inspired me to do an Events System with your Post and I have implemented something very close to what you seem to have begun to implement now ;)

What post, what do you mean have begun to implement. Maybe my I need to do an CVS update.

[Fyrn]

I usually update whenever I have the time to look at the code, might've been a month or more until I updated yesterday.

The Post I was talking about, is the community coding projects thing, where an Event System was mentioned. That spawned the idea for me. Well, that, and the Event System World of Warcraft is using in the AddOns (it's just registering an event, registering for an event, calling the event for all registered ..you get it, nothing complicated).

It seems to be making it's way into the phpBB Source now too.

Code: Select all

//				global $evt;
//				$evt->trigger(EVT_NEW_SESSION, $this->data);