We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

security | Forum

Topic location: Forum home » Support » General Questions
Marcus
Marcus Aug 23 '20
hi pass is encripted and its useless but nobody seemed to realize that if u can dump login_cookies table u can login as any of thosw users lol. This is a serious flaw that needs to be addressed asap. 
Marcus
Marcus Aug 23 '20
the solution is to create check poit in between user and db cookie.

db cookie value is encoded rhen saved on user so they dont macth. 

when user sends cookie we decode and check db for matches if true set user id on session etc. 

if someone manages to get their dirty hands on cookue values stored on db they wont work case   u cant directly use that value as cookie since it needs to be encoded forst. 

in other words user cookie value first needs to be decoded then mached. 
dave Leader
dave Aug 23 '20
Would applying the CSRF token to the login form work the same, sounds like it.
Marcus
Marcus Aug 23 '20
if i get ur login cookie nothing will stop me from login in as u. 
Marcus
Marcus Aug 23 '20
u can log in as any user just get their login cookie and create new ow_login cookie with that value 
dave Leader
dave Aug 23 '20

Thats the problem with allowing remember me cookies for passwords, if it was just username cookie it would not be an issue.. am i correct ?   Or those cookies need to be replaced or removed from that table more often


There is nothing 100%  but i agree, authoritative data should be stored in a cookie or session.   But thats one reason why you want to use https because the stream is more secure.. If someone gets ahold of your db data then nothing can save you, its all over....   So long passwords, shutting down brute force and all of that other server protection is going to help save you.   But if someone really wants what you have, there is not much that can stop them, that is just how it is.... if they have the patience and devotion to work night and day, they will find a way in.


However, most of the time they are not even interested in such sites unless they can use a weakness in your site to get to the server data. 


This is 8 years old and somethings have improved but it is still worth reading.


stackoverflow.com/questions/10566988/what-is-the-correct-and-safe-secure-way-to-keep-a-user-logged-in-cookies-sessi



The Forum post is edited by dave Aug 23 '20
Marcus
Marcus Aug 24 '20
thanks dave. as i explained in second post that way is 100% secure and bulletproof. 
dave Leader
dave Aug 24 '20
so sounds like just a simple base64_encode and base64_decode will do the trick.   Its simple and i have used it on parts of a url many times.  Its not meant for high level security but it does do the job of obfuscating the data.
Marcus
Marcus Aug 24 '20
thanks dave that's right. simpler in many cases is better 
dave Leader
dave Aug 28 '20

Marcus, did you know that part of what suhosin does is provide cookie encryption.  I just learned that myself.  


en.wikipedia.org/wiki/Suhosin



Also some other bad news: 


suPHP is not maintained any longer and will not receive any further updates not even security patches.


If you want to continue using suPHP, feel free to create a fork (the complete code is licensed under the GPL version 2).


If you are looking for an alternative, have a look at php-fpm.
There also is a fork of suPHP maintained by John Lightsey on GitHub.


www.suphp.org



The Forum post is edited by dave Aug 28 '20
Marcus
Marcus Aug 29 '20
thre is no need to complicste this prosses just use any of phpnencoder avaliable with some secret code like salt. it Makes it 100 secure unless u get ur hands on that piece of code u cant decode plus u need ti fugure out how to decode i mean its solid. 
The Forum post is edited by Marcus Aug 29 '20