PEAK XOOPS - Re: possible security issue with autologin hacks & X Cores in englishin japanese

Top > XOOPS Hacks >Hacks >possible security issue with autologin hacks & X Cores

Re: possible security issue with autologin hacks & X Cores

List posts in the topic

none Re: possible security issue with autologin hacks & X Cores

msg# 1.1
depth:
1
Previous post - Next post | Parent - No child | Posted on 2009/5/2 6:06
GIJOE  ÀèǤ·³Áâ   Posts: 4110
hi vaughan.

Quote:

in SSL this should be set to true or 1. because if $secure is not enabled when using SSL, it is possible to trick the browser into sending the secure cookie data over an insecure HTTP. setting this to 1 prevents the cookie from being sent over non-https.

this isn't just your hack though, this issue exists in all xoops cores that i know of. though i haven't checked Xcube, i did browse through legacy and noticed the secure parameter isn't set when using ssl there either.

I can understand what you mean.
Though I think "secure parameter" of cookie is not an important risk than "autologin" itself , it can be modified a little bit secure like


$secure_bit = substr( XOOPS_URL , 0 , 5 ) == 'https' ? 1 : 0 ;


$expire = time() + ( defined('XOOPS_AUTOLOGIN_LIFETIME') ? XOOPS_AUTOLOGIN_LIFETIME : 604800 ) ; // 1 week default
setcookie('autologin_uname', $uname, $expire, $xoops_cookie_path, '', 0$secure_bit );
// V3.1
$Ynj = date( 'Y-n-j' ) ;
setcookie('autologin_pass', $Ynj . ':' . md5( $user->getVar('pass') . XOOPS_DB_PASS . XOOPS_DB_PREFIX . $Ynj ) , $expire, $xoops_cookie_path, '', 0$secure_bit);
Votes:9 Average:8.89

Posts tree

  Advanced search

Login
Username or e-mail:

Password:

Remember Me

Lost Password?

Register now!