We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Big auth problems | Forum

Maxim
Maxim Aug 27 '12
Hi

In oxwall your have two big auth problems.

1. You save cookie name for user in ow_base_login_cookie. BUT if I sign in in Chrome (just as example, you may use any browser) and then I sign in in Opera (just as example, you may use any browser) then in db cookie name rewrite for userId. Your keep only one record in db for user. Its not good, becouse when I sign in Opera I automaticly sign out from Chrome.


2. Algorithm that generate cookie name is not good. Sometimes two users get cookie with the same name and when one of them sign in (later than first user) he becomes sign in as first user. Its big security bug

For example, better way is 

$loginCookie->setCookie(hash_hmac('md5', time() + mt_rand(), $userId));

Purusothaman Ramanujam
You could contact core team members if you think this is a serious security bug.
Michael I.
Michael I. Sep 4 '12
Maxim, thank you for suggestions. I will check into them with our developers and get back to you with a reply soon.