1- Your are admin in your forum
2- You are a user in my forum
3- you have the same passwordI can hack your forum, easy with small tools (i can build one in delphi).
so i try to add an idea (dont hate me if i not understand you, read my sign)
adding to config.php
$login_key = 'any string';//every forum must define it and be secrete;and modify some files (i am not test it just for an idea)
//line 54 in login.php //after $form_password_hash = pun_hash($form_password); //add $cookie_form_password_hash = pun_hash($login_key.$form_password_hash) //hash the saved hashed password //in line 75 setcookie($cookie_name, serialize(array($db_username, $form_password_hash)), $expire, $cookie_path, $cookie_domain, $cookie_secure); //change $form_password_hash to $cookie_form_password_hash //in function.php //line 42 $result = $db->query('SELECT * FROM '.$db->prefix.'users WHERE username=\''.addslashes($cookie['username']).'\' AND password=\''.addslashes($cookie['password_hash']).'\'') or error('Unable to fetch user information', __FILE__, __LINE__, $db->error()); $cur_user = $db->fetch_assoc($result); //remove the condition AND password=\''.addslashes($cookie['password_hash']).'\'' //and add after // for compare saved double hashed password look at $login_key here if ((pun_hash($login_key.$cur_user['password'] != $cookie['password_hash'])) die error('Unable to fetch user information', __FILE__, __LINE__, null);
Hmmm.. i dont think this method adds very much security. If you have a forum it's simple to retrieve the "real" password and not the hashed.
You just have to add some code in the login procedure.
This could add security if the attacker only has access to the Database or if an attacker manage to steal the victims cookie from your forum.
Why need track that?
there is new way, when login generate random value string for $login_key and save it in cookie with the double hashed password
and before compare with hashed password fetched form database[this not real code just to explaining]
$login_key=randome key
$cookie_double_hashed_password=pun_hash($login_key.$hashed_password)
setcookie('password_hash',$cookie_double_hashed_password);
setcookie('login_key',$login_key);now checking passowrds
$login_key=$_COOKIES['login_key'];
$database_double_hashed_password=pun_hash($login_key.$database_hashed_password)
if ($database_double_hashed_password!=$_COOKIES['password_hash'])
login fail
Do you mean that the random key should be stored in the cookie?
In the scenario that you have access to the hashed pw. You could just create the double hashed pw with any number on you own. The only thing you need to know is how the pun_hash works.
This way anyone can create a valid cookie out of the pwhash in the db.
This method only gives security if the attacker has stolen the cookie from your forum.
But if he manage to steal the cookie from your forum he could probably steal the cookie from the victims own forum too. Then he could just use the cookie as it is.
I hope I made any sense and that i havent missunderstood anything.
EDIT: My suggestion would be to use the second method but store the random number in the DB. I see no reason why this should be stored in cookie.