Register | Login | |||||
Main
| Memberlist
| Active users
| Calendar
| Chat
| Online users Ranks | FAQ | ACS | Stats | Color Chart | Search | Photo album |
| |
0 users currently in Help, Suggestions, Bug Reports. |
User | Post |
Xkeeper Posts: 4599/5653 |
Originally posted by HyperHacker I was considering adding some salt to the MD5 hash the cookie stores, but I ran into that same problem -- it has to be unique to each user. IPs would work, but then you have the dynamic IP problem. |
HyperHacker Posts: 4023/5072 |
Hm, you're right. Come to think of it there's really no way to prevent having to log in every session without people being able to do just that, except locking the session ID to an IP address which is no good for dynamic IPs. :-/ I figured that's what things like VBulliten and PHPBB did, but looks like they just store a user ID and password hash. |
emcee Posts: 673/867 |
Then how does that prevent people from stealing cookies and using them as their own? |
HyperHacker Posts: 4014/5072 |
Originally posted by emcee It wouldn't. You'd just make them last a long time, or however long the user chooses on the login page. Despite their name, session IDs can span multiple sessions. |
emcee Posts: 662/867 |
Even in layouts? |
Xkeeper Posts: 4524/5653 |
Or I could just filter < to <.
Seriously, your solutions are all crap. |
emcee Posts: 659/867 |
Wouldn't that make it so you would have to constantly re-login? How would the server start a new session after the last one expired without the password? |
HyperHacker Posts: 3997/5072 |
I think the best solution is to not store passwords in the cookie at all, but rather session IDs. Cookies store user IDs and decrypting the password is pretty easy. |
emcee Posts: 651/867 |
Yeah, HyperHacker is right. I could actually steal cookies right from the main page. But unlike the password on the reply page, the password in the cookie appears to be encrypted to some extent. I tried decrypting it using the function shdec from functions.php, but it didn't seem to work, maybe it's outdated.
Of course, it's not really necessary to decrypt it, all you have to do is use the cookie like it's your own. But it still wouldn't help to steal on the main page or from a post, since it would be kind of hard to determine whose cookies are whose. Instead, you could just put the code in a pm and wait for them to read it. Maybe the best solution is to store the password in the cookie and html with one way encryption (I don't how this is done in php, but in perl it just crypt(password,salt)). Then, to validate it encrypt the password on the server the same way and compare. Then, just check the referrer to make sure it's coming from the right site. That would completely solve the problem. |
Metal Man88 Posts: 409/701 |
Eh, I can't see it happening any time soon. Most people prefer to register en masse and post garbage... hijacked accounts, I think, are a rarity. |
pikaguy900 Posts: 391/748 |
Ummm... It's easy to steal them while replying? *shudders* Why not just take away that part that has your username and password inputted to post? You could have that page simply check to see who is logged in when you post, and whoever you're logged in as, that's the username that'll appear. I know they never ask for your username when posting on any other board, even if you're logged in. |
Xkeeper Posts: 4494/5653 |
I have an even simpler solution. Actually doing it is another matter entirely. |
HyperHacker Posts: 3977/5072 |
I imagine some of these methods would be exploitable on pretty much any page to grab cookies. Unless you're thinking of one particular method I just thought of that would be nearly impossible to actually pull off. |
emcee Posts: 650/867 |
Even with the filters its still very easy to steal passwords. There are several ways in IE, and at least one that I tested that works on Firefox. And they're all just one simple line of code.
There's even a way of doing it that doesn't involve javascript at all. Although it's a bit more complicated. Simple solution: Disable html in the overview of the thread shown on the reply page. |