You are not logged in. Please login or register.
PunBB Forums → General discussion → Security of Pun's authentification
guys! we a re talking about moving authorization metod from cookie to sessions! its MUCH more secure to store data at server than at client, any malicious hacker can get punbb authorization data from cookie with javascript(of course if the browser allows it and most of them do, by default)
XuMiX bingo! 
XuMiX: Anyone can get PunBB authorization data from cookie with JavaScript? Show me. That can only happen if PunBB has an XSS vulnerability.
guys! we a re talking about moving authorization metod from cookie to sessions! its MUCH more secure to store data at server than at client, any malicious hacker can get punbb authorization data from cookie with javascript(of course if the browser allows it and most of them do, by default)
I hardly know a thing about sessions, but it just seems weird that hardly any other forum packages use them...
lol, phpbb, ipb use them at least
But they still use cookies as well for the authentication system...
OK, my bad.
The fact remains. If PunBB has a security weakspot, it is not in it's authentication system.
Your right when you say that sessions would be stronger overall. The password(in md5) will then no longer be present in your cookies. But still its vulnerable.
Still some could steal your cookie by an XSS attack. And use your session for the remaining time.
A some what more of an security issue. Is the way you can change your password in profile.php.
Last week I logged into my forum as admin at my brothers pc. After a short break a came back online at a different pc. Noticed that I no longer could log in as admin. And that my password was changed. Just before I wanted to change it directly in MySQL . My brother said he had changed the pass for the fun.
So really nothing to worry about.
The moral of this story is. That punbb should ask for your old password when changing to a new password.
I?m sorry if this is already done . Because at that time I was running punbb 1.2 .
Whoops just noticed it that it allready has been fixed.
The moral of this story is. That punbb should ask for your old password when changing to a new password.
It does. Not for administrators though.
The real morale of the story is don't let your brother on your PC 
Well Connorhd your right you can't even trust you're own family. But still would be nice if punBB 1.3 would ask your old password to if your an admin.
So we decided to try session method of store personal data.
Soon, as I think, we'll tell you about results. 
but surely you still need to use a cookie for when the session expires?
Well Connorhd your right you can't even trust you're own family.
Admins changing the password of others don't know the original pass
Orpheus wrote:Well Connorhd your right you can't even trust you're own family.
Admins changing the password of others don't know the original pass
I think he is refering to when an admin changes his/her password in the admin. It does not ask for current password .
It does. Not for administrators though.
but surely you still need to use a cookie for when the session expires?
Why? Is it a affirmation or question ?
sort of a question, anyway my logic is, how will punbb know if your logged in when you come back without a cookie?
SSL/https ...
sorry but wtf?
if you want secure authentication, then you should make sure the data transferred is encoded in some way, preferably all data you send ... md5:ing a password on client side feels no more secure than plain text IMHO (if they try to bruteforce by using commong words, they just md5 aswell, if they're sniffing traffic, they get the same information) ... if the md5 on clientside is supposed to work, one would need a unique extra md5 baked into it,(preferably unique per user & forum) ... but as long as it's http, network sniffers will still get all the info they need...
I would never use http for things I want secure... there's a reason banks etc use ssl/s-http etc...
ssl doesn't make your cookie more secure or your login for that matter.
The only thing SSL does. Is encrypt your data. It is still possible to hijack your cookie with ssl enabled.
The banks simply use ssl to make sure when your banking that somebody who is listing on your line can't read the data without the keys.
But is doesn't mean that somebody can't login under your name. or use some kind of xss hack.
A good auth would involve a handshake . Something like what the ssh and ssl protocol do. But what ever you choose there is allways the need for the cookie.
What ever you cookie may contain. a session id or an encrypted password.
So you can make your auth as strong as you like. But when somebody can make an XSS hack that steals your cookie it's useless.
PS ssl and ssh are as strong as the encypted methods used. For example if your using blowfish or some other older encryption method. Your begging for trouble.
Let me ask one question. As a developer, how do you determine whats best, and how do you check your code for vulnerabilities? I am relatively new to PHP. I can usually read it better than I can develop with it. I have learned from books, tutorials, and other on-line resources. The one thing that I have learned, is that it seems like there is no one source that says, "this is how you should do it." Like there is some big secret society that wont leak out information. lol
I just want to learn how to make an authetication system, thats secure, with using PHP/MySQL. And will run on different webservers. Is that to much to ask? (sarcasim). Every book that I have read, or tutorial/artcile I have read, seems to tip-toe around the subject.
PunBB Forums → General discussion → Security of Pun's authentification
Powered by PunBB, supported by Informer Technologies, Inc.