Current time: 07-31-2014, 07:25 AM Hello There, Guest! (LoginRegister)


Post Reply 
 
Thread Rating:
  • 3 Vote(s) - 3.67 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Cookie Prefixes?
09-12-2007, 03:13 AM
Post: #1
Cookie Prefixes?
What do you think? I think this can help resolve some issues with other scripts installed on the same server which use the same cookie names.

For example, if I have a script which I want cookies to be visible for all subdomains, it can cause conflicts with MyBB if they use the same cookie name (let's say "sid"). If we can specify a prefix, like we can for tables, it would probably be much better.


Probably a little thing, but I think it would be nice. What do you guys think?
Visit this user's website Find all posts by this user
Quote this message in a reply
09-12-2007, 06:41 PM
Post: #2
RE: Cookie Prefixes?
+10

I fully support this idea. This way we also make it harder to spoof cookies / steal login sessions (the hacker would have to customize the script for each site).
Find all posts by this user
Quote this message in a reply
09-12-2007, 09:57 PM
Post: #3
RE: Cookie Prefixes?
Wow, great idea. Would make it impossible to access the cookie via any sort of injection. We could use a random 4 character prefix for the cookie which is stored in the user table.
Visit this user's website Find all posts by this user
Quote this message in a reply
09-13-2007, 04:25 AM
Post: #4
RE: Cookie Prefixes?
Yeah it would make it easier to have multiple MyBB's on one domain.

Dennis Tsang
http://dennistt.net
Find all posts by this user
Quote this message in a reply
09-13-2007, 10:14 AM
Post: #5
RE: Cookie Prefixes?
Great idea Big Grin More security and more features!

Visit this user's website Find all posts by this user
Quote this message in a reply
09-13-2007, 10:31 AM
Post: #6
RE: Cookie Prefixes?
so you did that with hibbyware's site? cool wells i never had that problem when loging in anymore.

Visit this user's website Find all posts by this user
Quote this message in a reply
09-13-2007, 11:37 AM
Post: #7
RE: Cookie Prefixes?
This sound like a very good idea i would rate it like 10/10 if we had to rate it.

COOLIES
Find all posts by this user
Quote this message in a reply
09-13-2007, 11:47 AM
Post: #8
RE: Cookie Prefixes?
MyBB 1.4 now has the cookie prefixes feature.

In the Admin CP you can define a prefix for all cookies set by the board, useful if you have (as mentioned) other copies of MyBB on the same domain, or other applications which conflict with the cookie names in MyBB.

The setting is completely optional, and blank by default.

Chris
Visit this user's website Find all posts by this user
Quote this message in a reply
09-13-2007, 02:37 PM
Post: #9
RE: Cookie Prefixes?
Well, on a global scale, it's completely useless for security. But it does solve the conflict problem
Visit this user's website Find all posts by this user
Quote this message in a reply
09-13-2007, 11:25 PM
Post: #10
RE: Cookie Prefixes?
It's not really - each site can have a different cookie prefix, it is slightly more secure but still as insecure as having random names in front of each cookie.

The reason the random names would not work is you can't check for a logged in user when cookie names are going to be different all the time - you'd have to filter the $_COOKIE array, find the one matching *mybbuser and any other name just to retrieve a cookie - which means it is equally as "insecure" as global cookie prefixes.
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us | MyBB | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication