You are not logged in. Please login or register.
PunBB Forums → Feature requests → Is it possible to use punBB with cookies disabled?
Hi,
I'm using PunBB 1.2.6 with Postgresql 7.4.3 and PHP 5.0.4
which was compiled with --enable-trans-sid and --enable-session.
Is it possible for a user with cookies disabled to still login and use PunBB?
Can't cookies be replaced by the SID? My quick Firefox-test failed...
Regards
Alex
Hi,
Is it possible for a user with cookies disabled to still login and use PunBB?
I'm sure you can't.
Don't know for the sid.
Ludo,
Theoretically you could.
It needs heavy modification of the source though.
Instead of setting and modifying a cookie you must set and modify a session.
Sounds easy but it affects tons of pages.
And I wouldn't want it, this URL session handling is insecure like nothing else.
I mean anybody could find a URl with a valid session identifier somewhere...
also you get the problem that search engines hate SIDs
And I wouldn't want it, this URL session handling is insecure like nothing else.
I mean anybody could find a URl with a valid session identifier somewhere...
How is it more insecure than saving the session id in the cookies?
If you add a hash on the username + expiry date + IP (actually the subnet),
then it should be ok, I think
Regards
Alex
If you have the session ID in a cookie then somebody must hijack or otherwise steal the cookie.
Possible but technically more complex.
If you have the session ID in a string then you have the key to your site sitting in every url cache in any browser in any internet cafe where your users decided to visit your board.
In theory again but - any stupid can do it so it is likely that any stupid will do it. 
Plus, technically challenged users will always copy the session ID when they send links to friends. They do, yes, I know this out of bad experience...sure you wil have a timeout but still you have to let the SID live for a while, right?
Plus, as connor said, searchengines do not find these session strings very attractive.
Sorry, but your internet cafe example can be applied both to cookies and to URLs in cache.
BTW you can put an expiry date into the string that you are hashing
(with MD5 or SHA) to prevent users tampering with it. Here is an example:
http://modperl.com/book/chapters/ch6.ht … ss_Control
What I'm trying to say is that cookies, URL and hidden fields are actually same
for the ticket methods. With the exception that some users disable the former.
Regards
Alex
What I'm trying to say is that cookies, URL and hidden fields are actually same
for the ticket methods. With the exception that some users disable the former.
- And the exception that you can send a sessionID URL by email but not a cookie.
- And that SID-urls are really not liked by google
I don't want to start a religious war here, I just want to say I like punBB using cookies.
If my users do not trust me enough to accept cookies from my site they can stay out. No prob
Anyway, although it is some work to change punBB to use php sessions but it's no science, so why not?
Peace! :-)
The simple answer to your original question is no
PunBB Forums → Feature requests → Is it possible to use punBB with cookies disabled?
Powered by PunBB, supported by Informer Technologies, Inc.