Quick question re: MyBB's cookies.

Firefox Wins · 02-14-2011 03:33 AM

EDIT: I figured it out answer @ the end...
^^^

Forum 1
directory = bb & Cookie path intentionally set to root (/), for integration w/ other pages.
Root (/) setting not causing any obvious problems.

Forum 2
directory = forum (for example)
Cookie path also set to (/)

An unmodified login at Forum 1 sets cookies and enters MyBB session data, in the 'sessions' DB table.

Question 1)
Does MyBB use the session data in the database for security related to logins?
(i.e "verified sessions" / cookies based on encrypted session values, or something similar)

When both forums on the same domain use (/) for the cookie path, then I'm getting a 'cheap and easy' SSO (Single-Sign-On), into both forums.

Question 2)
Forum 2 is allowing me to be logged in even though the 'verified session' occurred with Forum 1. How is this possible, and / or where is the protection from session hijacking or 'phony' cookies?

Thank you.

EDIT:

Security is based on the login key. This 'cheap and easy' SSO only works if the user has the same login key in both DB's.
This is pretty cool feature to play with

Pirata Nervo · 02-14-2011 08:20 AM

Interesting, by quickly looking at the sessions code it seems that in order to be seen as logged in, the entry must exist in the sessions table:

PHP Code:

		// Attempt to find a session id in the cookies.
		if(isset($mybb->cookies['sid']))
		{
			$this->sid = $db->escape_string($mybb->cookies['sid']);
			// Load the session
			$query = $db->simple_select("sessions", "*", "sid='{$this->sid}' AND ip='".$db->escape_string($this->ipaddress)."'", array('limit' => 1));
			$session = $db->fetch_array($query);
			if($session['sid'])
			{
				$this->sid = $session['sid'];
				$this->uid = $session['uid'];
			}
			else
			{
				$this->sid = 0;
				$this->uid = 0;
				$this->logins = 1;
				$this->failedlogin = 0;
			}
		}

If a session is not found, it won't see you as logged in.

Do both of your forums use the same sessions table?

***ZiNgA BuRgA*** · 02-14-2011 10:02 PM

^ No, if you keeping reading further down, you'll see why. (confusing I know, but well...)

The loginkey is the authenticator. If session doesn't exist, it'll create one.

Pirata Nervo · 02-15-2011 05:27 AM

Oh sorry didn't notice this:

PHP Code:

		// If we have a valid session id and user id, load that users session.
		if($mybb->cookies['mybbuser'])
		{
			$logon = explode("_", $mybb->cookies['mybbuser'], 2);
			$this->load_user($logon[0], $logon[1]);
		}

Since mybbuser exists in cookies, yes it will create a login key when load_user is being executed.

Sorry Tongue

Firefox Wins · 02-28-2011 11:20 AM

The same 'cheap and easy' SSO only works in the front-end and not for admin sessions. Instead of asking 'how can I make it work?'... Tongue

What is the root cause of the difference?

Can anyone help provide a starting-point?
If front- end sessions are '(re-)authenticated' based on the login key, then what about admin sessions:

Other than the session time-out (auto-logout) how is the cookie (session) verification different for the (admin) back-end?
...and/or...
Why are 2 admin logins, using the same cookie path, causing a conflict, and logging the 'other one' out?

Thanks a bunch.

ps. Let me guess:
This one actually uses a unique session as part of the verification, is that correct?

***ZiNgA BuRgA*** · 02-28-2011 11:50 AM

Yes, logging in creates a temporary session only.

Threaded Mode \| Linear Mode Standard Tools
Forum Jump: View a Printable Version Send this Thread to a Friend Subscribe to this thread