MyBB Hacks

MyBB Hacks > Coding > Quick question re: MyBB's cookies.
Full Version: Quick question re: MyBB's cookies.
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Firefox Wins

02-14-2011, 03:33 AM
EDIT: I figured it out answer @ the end...
^^^

Forum 1
directory = bb  &  Cookie path intentionally set to root (/), for integration w/ other pages.
Root (/) setting not causing any obvious problems.

Forum 2
directory = forum (for example)
Cookie path also set to (/)

An unmodified login at Forum 1 sets cookies and enters MyBB session data, in the 'sessions' DB table.

Question 1)
Does MyBB use the session data in the database for security related to logins?
(i.e "verified sessions" / cookies based on encrypted session values, or something similar)
  • When both forums on the same domain use (/) for the cookie path, then I'm getting a 'cheap and easy' SSO (Single-Sign-On), into both forums.

Question 2)
Forum 2 is allowing me to be logged in even though the 'verified session' occurred with Forum 1. How is this possible, and / or where is the protection from session hijacking or 'phony' cookies?

Thank you.


EDIT:
  • Security is based on the login key. This 'cheap and easy' SSO only works if the user has the same login key in both DB's.
  • This is pretty cool feature to play with  Smile

Pirata Nervo

02-14-2011, 08:20 AM
Interesting, by quickly looking at the sessions code it seems that in order to be seen as logged in, the entry must exist in the sessions table:

PHP Code: 
		// Attempt to find a session id in the cookies.
		if(isset($mybb->cookies['sid']))
		{
			$this->sid = $db->escape_string($mybb->cookies['sid']);
			// Load the session
			$query = $db->simple_select("sessions", "*", "sid='{$this->sid}' AND ip='".$db->escape_string($this->ipaddress)."'", array('limit' => 1));
			$session = $db->fetch_array($query);
			if($session['sid'])
			{
				$this->sid = $session['sid'];
				$this->uid = $session['uid'];
			}
			else
			{
				$this->sid = 0;
				$this->uid = 0;
				$this->logins = 1;
				$this->failedlogin = 0;
			}
		}


If a session is not found, it won't see you as logged in.

Do both of your forums use the same sessions table?

ZiNgA BuRgA

02-14-2011, 10:02 PM
^ No, if you keeping reading further down, you'll see why. (confusing I know, but well...)

The loginkey is the authenticator.  If session doesn't exist, it'll create one.

Pirata Nervo

02-15-2011, 05:27 AM
Oh sorry didn't notice this:

PHP Code: 
		// If we have a valid session id and user id, load that users session.
		if($mybb->cookies['mybbuser'])
		{
			$logon = explode("_", $mybb->cookies['mybbuser'], 2);
			$this->load_user($logon[0], $logon[1]);
		}


Since mybbuser exists in cookies, yes it will create a login key when load_user is being executed.

Sorry Tongue

Firefox Wins

02-28-2011, 11:20 AM
The same 'cheap and easy' SSO only works in the front-end and not for admin sessions. Instead of asking 'how can I make it work?'...  Tongue

What is the root cause of the difference?

Can anyone help provide a starting-point?
If front- end sessions are '(re-)authenticated' based on the login key, then what about admin sessions:
  • Other than the session time-out (auto-logout) how is the cookie (session) verification different for the (admin) back-end?
    ...and/or...
  • Why are 2 admin logins, using the same cookie path, causing a conflict, and logging the 'other one' out?
Thanks a bunch.

ps. Let me guess:
This one actually uses a unique session as part of the verification, is that correct?

ZiNgA BuRgA

02-28-2011, 11:50 AM
Yes, logging in creates a temporary session only.
MyBB Hacks > Coding > Quick question re: MyBB's cookies.
Reference URL's