Solve cookie authentication security vulnerability
Currently when you create an account on a myBB forum, a cookie is created and attached to that account in the database.<br />
<br />
That cookie never changes.<br />
<br />
So whenever you're browsing the forum, making posts and threads, etc... the server is using the cookie in your browser to authenticate all the requests<br />
<br />
An attacker can use this by:<br />
1. XSS (search Samy Myspace XSS worm) to send the cookie in your browser back to the attacker<br />
2. CSRF you can visit google.com and the browser will make a request to the forum and can start making threads and posts without you knowing<br />
3. Browser Vulnerability, if you don't update your web browser or something an attacker can take the cookies<br />
4. Server breach, the cookies on the server are stored in plain text (kind of like plain text passwords), and they have no expiration so one server breach and an attacker would have access to every user account (you would have to make everyone reset their passwords... that MIGHT fix it?)<br />
<br />
The cookie has a format <uid>_<loginkey><br />
<br />
To fix this problem we need to:<br />
1. Generate a new loginkey when a user signs out, and don't share it back to them<br />
2. Generate a new loginkey when a user makes a request with an expired session, and don't share it back to them<br />
3. When a user logs in, generate a new loginkey<br />
4. When a user logs in, update their last-active time (to avoid having their first request upon logging in be seen as an expired session)<br />
<br />
Code fixes for the above are:<br />
1. Inside <span style="font-weight: bold;" class="mycode_b">member.php</span>, inside the <span style="text-decoration: underline;" class="mycode_u">['action'] == "logout"</span> if statement, add (somewhere before the last redirect() function<br />
<pre data-deferred="true" class="block-code line-numbers language-none"><code class="language-php">update_loginkey($mybb->user['uid']);</code></pre>2. Inside <span style="font-weight: bold;" class="mycode_b">inc/class_session.php</span> and the load_user() function, inside the <span style="text-decoration: underline;" class="mycode_u">$time - $mybb->user['lastactive'] > 900</span> if statement, add (at the end of the if statement)<br />
<pre data-deferred="true" class="block-code line-numbers language-none"><code class="language-php">update_loginkey($mybb->user['uid']);
return false;</code></pre>3. Inside <span style="font-weight: bold;" class="mycode_b">inc/datahandlers/login.php</span> and the complete_login() function, add (before the <span style="text-decoration: underline;" class="mycode_u">my_setcookie("mybbuser", $user['uid']."_".$user['loginkey'], $remember, true, "lax");</span> line)<br />
<pre data-deferred="true" class="block-code line-numbers language-none"><code class="language-php">$user['loginkey'] = update_loginkey($user['uid']);</code></pre>4. Right above the last line, also add<br />
<pre data-deferred="true" class="block-code line-numbers language-none"><code class="language-php">$sql_array = array(
"lastactive" => TIME_NOW,
"lastvisit" => TIME_NOW
);
$db->update_query("users", $sql_array, "uid = '{$user['uid']}'"
; </code></pre><br />
To adjust how long it takes for a session to expire, go back to #2 and change the number 900 in the if statement (<span style="text-decoration: underline;" class="mycode_u">$time - $mybb->user['lastactive'] > 900</span>) ... try changing 900 to 10 (seconds) and see if the changes worked and you can juggle a session by refreshing the page within 10 seconds, or not refreshing the page and seeing the session expire
Currently when you create an account on a myBB forum, a cookie is created and attached to that account in the database.<br />
<br />
That cookie never changes.<br />
<br />
So whenever you're browsing the forum, making posts and threads, etc... the server is using the cookie in your browser to authenticate all the requests<br />
<br />
An attacker can use this by:<br />
1. XSS (search Samy Myspace XSS worm) to send the cookie in your browser back to the attacker<br />
2. CSRF you can visit google.com and the browser will make a request to the forum and can start making threads and posts without you knowing<br />
3. Browser Vulnerability, if you don't update your web browser or something an attacker can take the cookies<br />
4. Server breach, the cookies on the server are stored in plain text (kind of like plain text passwords), and they have no expiration so one server breach and an attacker would have access to every user account (you would have to make everyone reset their passwords... that MIGHT fix it?)<br />
<br />
The cookie has a format <uid>_<loginkey><br />
<br />
To fix this problem we need to:<br />
1. Generate a new loginkey when a user signs out, and don't share it back to them<br />
2. Generate a new loginkey when a user makes a request with an expired session, and don't share it back to them<br />
3. When a user logs in, generate a new loginkey<br />
4. When a user logs in, update their last-active time (to avoid having their first request upon logging in be seen as an expired session)<br />
<br />
Code fixes for the above are:<br />
1. Inside <span style="font-weight: bold;" class="mycode_b">member.php</span>, inside the <span style="text-decoration: underline;" class="mycode_u">['action'] == "logout"</span> if statement, add (somewhere before the last redirect() function<br />
<pre data-deferred="true" class="block-code line-numbers language-none"><code class="language-php">update_loginkey($mybb->user['uid']);</code></pre>2. Inside <span style="font-weight: bold;" class="mycode_b">inc/class_session.php</span> and the load_user() function, inside the <span style="text-decoration: underline;" class="mycode_u">$time - $mybb->user['lastactive'] > 900</span> if statement, add (at the end of the if statement)<br />
<pre data-deferred="true" class="block-code line-numbers language-none"><code class="language-php">update_loginkey($mybb->user['uid']);
return false;</code></pre>3. Inside <span style="font-weight: bold;" class="mycode_b">inc/datahandlers/login.php</span> and the complete_login() function, add (before the <span style="text-decoration: underline;" class="mycode_u">my_setcookie("mybbuser", $user['uid']."_".$user['loginkey'], $remember, true, "lax");</span> line)<br />
<pre data-deferred="true" class="block-code line-numbers language-none"><code class="language-php">$user['loginkey'] = update_loginkey($user['uid']);</code></pre>4. Right above the last line, also add<br />
<pre data-deferred="true" class="block-code line-numbers language-none"><code class="language-php">$sql_array = array(
"lastactive" => TIME_NOW,
"lastvisit" => TIME_NOW
);
$db->update_query("users", $sql_array, "uid = '{$user['uid']}'"
; </code></pre><br />To adjust how long it takes for a session to expire, go back to #2 and change the number 900 in the if statement (<span style="text-decoration: underline;" class="mycode_u">$time - $mybb->user['lastactive'] > 900</span>) ... try changing 900 to 10 (seconds) and see if the changes worked and you can juggle a session by refreshing the page within 10 seconds, or not refreshing the page and seeing the session expire