Thread Rating:
  • 3 Vote(s) - 3.67 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Cookie Prefixes?
#1
What do you think? I think this can help resolve some issues with other scripts installed on the same server which use the same cookie names.

For example, if I have a script which I want cookies to be visible for all subdomains, it can cause conflicts with MyBB if they use the same cookie name (let's say "sid"). If we can specify a prefix, like we can for tables, it would probably be much better.


Probably a little thing, but I think it would be nice. What do you guys think?
Reply
#2
+10

I fully support this idea. This way we also make it harder to spoof cookies / steal login sessions (the hacker would have to customize the script for each site).
Reply
#3
Wow, great idea. Would make it impossible to access the cookie via any sort of injection. We could use a random 4 character prefix for the cookie which is stored in the user table.
Reply
#4
Yeah it would make it easier to have multiple MyBB's on one domain.
Dennis Tsang
http://dennistt.net
Reply
#5
Great idea Big Grin More security and more features!
Reply
#6
so you did that with hibbyware's site? cool wells i never had that problem when loging in anymore.
Reply
#7
This sound like a very good idea i would rate it like 10/10 if we had to rate it.
COOLIES
Reply
#8
MyBB 1.4 now has the cookie prefixes feature.

In the Admin CP you can define a prefix for all cookies set by the board, useful if you have (as mentioned) other copies of MyBB on the same domain, or other applications which conflict with the cookie names in MyBB.

The setting is completely optional, and blank by default.

Chris
Reply
#9
Well, on a global scale, it's completely useless for security. But it does solve the conflict problem
Reply
#10
It's not really - each site can have a different cookie prefix, it is slightly more secure but still as insecure as having random names in front of each cookie.

The reason the random names would not work is you can't check for a logged in user when cookie names are going to be different all the time - you'd have to filter the $_COOKIE array, find the one matching *mybbuser and any other name just to retrieve a cookie - which means it is equally as "insecure" as global cookie prefixes.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)