AutoLoginID / Function etc.

[hater]

Seems like this could be a pretty critical issue. I'm interested how this is going to work also.

[hater]

Any updates on this issue? Seems pretty important to be snuffed.

[Viperal2]

Any updates on this issue? Seems pretty important to be snuffed.

I can't be an issuse since phpbb2.2 is not released yet, and it has been used for by phpbb before along with other systems. More like a recomendation, well not really was just a decision on possible other ways.

[Th0maz]

IMHO easy to fix by adding a field "random generated passphrase". When a user subscribes a random 128-character string is added in the user-database. The cookie then uses this string to login, rather than the hashed password. Whenever the user changes his real password, a new "second" password is generated and the old cookie doesn't work anymore.

Correct me if I' wrong!

[th23]

You are correct, as I think...

My suggestion was to add a field with a random number (when user registers), mix this up with the password hash, md5 it and store it...voila there ist your autologinid.

th23

[psoTFX]

sigh ... so, I get hold of your autologinid, craft a cookie and login ... no need for passwords. Like we say all the time do not use autologin on a public computer. It's intended purely and practically exclusively for use on your personal system. If you use it on a public system you are opening yourselves up to a lot of problems ... people can and do trawl lists of cookies on insecure systems.

Like I say elsewhere, do you guys not think we've thought about these things before? Does no one read anything I write here? I do wonder at times.

[th23]

Like I say elsewhere, do you guys not think we've thought about these things before? Does no one read anything I write here?

I'm sorry, I thought that the "Discuss 2.2" forum is there to discuss such things... and yes, I think you and the developers have thought about this, but why shouldn't we discuss it too?

And yes again, I read, what you tell...

th23

[psoTFX]

Discuss all you like ... but cut out the "You could do it this way" bit ... "new" users are very easily put off by these sort of discussions, particularly when persons discussing it haven't put (it seems) all that much real thought into what they are saying.

[th23]

Okay! I think I got the point...

But if you are already ahead of us with your knowledge about this point, we're always interested in... propably you have a thought we did not so far.

Back to discussion: The thing I wanted to point out was that creating a hash not (only) based on the password but on an additional random number will provide more security, because if the hacker could steal one cookie, he can only compromise one board, none others the same user (username) is regged, because therefore he would have to use another random number...

But overall you're correct, if he has access to all cookies he would propably steal all of them, and the nice security addon is gone...

th23

[psoTFX]

You should never use the same password for each board ... what you are all forgetting is that any security system is as good as its weakest link. From the comments I'm reading here that weakest link is rapidly being shown to be the user