1 (edited by afarber 2005-07-22 15:44)

Topic: Is it possible to use punBB with cookies disabled?

Hi,

I'm using PunBB 1.2.6 with Postgresql 7.4.3 and PHP 5.0.4
which was compiled with --enable-trans-sid and --enable-session.

Is it possible for a user with cookies disabled to still login and use PunBB?
Can't cookies be replaced by the SID? My quick Firefox-test failed...

Regards
Alex

http://preferans.de/ - russian card game

2

Re: Is it possible to use punBB with cookies disabled?

afarber wrote:

Hi,

Is it possible for a user with cookies disabled to still login and use PunBB?

I'm sure you can't.
Don't know for the sid.

Ludo,

3

Re: Is it possible to use punBB with cookies disabled?

Theoretically you could.
It needs heavy modification of the source though.
Instead of setting and modifying a cookie you must set and modify a session.
Sounds easy but it affects tons of pages.
And I wouldn't want it, this URL session handling is insecure like nothing else.
I mean anybody could find a URl with a valid session identifier somewhere...

The German PunBB Site:
PunBB-forum.de

Re: Is it possible to use punBB with cookies disabled?

also you get the problem that search engines hate SIDs

Re: Is it possible to use punBB with cookies disabled?

Tobi wrote:

And I wouldn't want it, this URL session handling is insecure like nothing else.
I mean anybody could find a URl with a valid session identifier somewhere...

How is it more insecure than saving the session id in the cookies?
If you add a hash on the username + expiry date + IP (actually the subnet),
then it should be ok, I think

Regards
Alex

http://preferans.de/ - russian card game

6

Re: Is it possible to use punBB with cookies disabled?

If you have the session ID in a cookie then somebody must hijack or otherwise steal the cookie.
Possible but technically more complex.

If you have the session ID in a string then you have the key to your site sitting in every url cache in any browser in any internet cafe where your users decided to visit your board.
In theory again but - any stupid can do it so it is likely that any stupid will do it. smile

Plus, technically challenged users will always copy the session ID when they send links to friends. They do, yes, I know this out of bad experience...sure you wil have a timeout but still you have to let the SID live for a while, right?

Plus, as connor said, searchengines do not find these session strings very attractive.

The German PunBB Site:
PunBB-forum.de

Re: Is it possible to use punBB with cookies disabled?

Sorry, but your internet cafe example can be applied both to cookies and to URLs in cache.

BTW you can put an expiry date into the string that you are hashing 
(with MD5 or SHA) to prevent users tampering with it. Here is an example:
http://modperl.com/book/chapters/ch6.ht … ss_Control

What I'm trying to say is that cookies, URL and hidden fields are actually same
for the ticket methods. With the exception that some users disable the former.

Regards
Alex

http://preferans.de/ - russian card game

8

Re: Is it possible to use punBB with cookies disabled?

afarber wrote:

What I'm trying to say is that cookies, URL and hidden fields are actually same
for the ticket methods. With the exception that some users disable the former.

- And the exception that you can send a sessionID URL by email but not a cookie.
- And that SID-urls are really not liked by google

I don't want to start a religious war here, I just want to say I like punBB using cookies.
If my users do not trust me enough to accept cookies from my site they can stay out. No prob smile

Anyway, although it is some work to change punBB to use php sessions but it's no science, so why not?

The German PunBB Site:
PunBB-forum.de

Re: Is it possible to use punBB with cookies disabled?

Peace! :-)

http://preferans.de/ - russian card game

Re: Is it possible to use punBB with cookies disabled?

The simple answer to your original question is no smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."