AutoLoginID / Function etc.

[th23]

Hi

couldn't find a topic about this via search, so: Can anyone explain what is stored in the autologinid in the phpbb22_data cookie? And how are the passwords, hashes, etc. handled in the upcoming phpBB 2.2?

Reason for this thread is less to get any support, but more about the general approach on that topic, because I just read a topic about the new system used by (sorry for naming competitors) Invision.

th23

[th23]

Ok, I just figured out, that the "autologinid" in the cookie is just the md5-encrypted user password... do you think this is secure enough? Especially for cross site attacs ...

[Roberdin]

Erm... no it's not... my Autologin cookie SID doesn't match my password's md5()... unless I'm using a different password here than I thought...

[th23]

Hmm,

my "user_password" in the "users" table matches exactly the "autologinid" field in the "_data" cookie... this can't be a coincidence, or is it?

th23

[Roberdin]

Perhaps I was mistaken.

I will check the CVS.

[Roberdin]

It does appear that you are correct:

Code: Select all

<?php $autologin = (!empty($autologin)) ? md5($password) : '';

[th23]

Ok, shouldn't it be better something not (only) related to the password? Because once you steal a cookie with the md5-ed password, you can login to every board, where the user uses the same password just by modifying the cookie...

[Viperal2]

Maybe if the user has a permanent session(not really session but just the data) in the database that would help. then you can compare the ip address, browser and othere info. this can be done. and maybe only allow autologing from on pc.

Or the user ip in database can be linked to the autologin with may be better, change the ip once a new computer is set to auto login. would only allow on pc to autologin ata time dow.

[Roberdin]

That won't work.

Never heard of Dynamic IPs? My IP changes every morning when I switch my PC on. I certainly don't want to go to all the bother of logging-in at dozens of sites every day.

Easy solution is to store a random hash of something in the DB, and then store that in the user's cookie. Then the two can be later compared, yada yada yada.

[Viperal2]

That won't work.

Never heard of Dynamic IPs? My IP changes every morning when I switch my PC on. I certainly don't want to go to all the bother of logging-in at dozens of sites every day.

Easy solution is to store a random hash of something in the DB, and then store that in the user's cookie. Then the two can be later compared, yada yada yada.

*Viperal smack himself*

forgot about that, lol. My and my cable foget something else even exsists.