MyBB Community Forums

MyBB Community Forums > Community > General Discussion > Web Development and Administration > Loginkey
Full Version: Loginkey
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

Vicar

2012-04-09, 07:57 PM
Hello,
in the table users, the field "loginkey" what is it???

Tom K.

2012-04-09, 08:20 PM
It is a key that is unique to a user. It makes sure that when a user clicks "logout" only the user who is truly logged in as that username can logout.

Eg: if any user could type: http://your site.com/member.php?action=logout&userid=1 they could log anyone out Smile

dragonexpert

2012-04-10, 12:43 AM
I don't see why it couldn't just be action=logout and have it get the userid by $mybb->user['uid'].

Charlie Hadden

2012-04-10, 12:46 AM
Because of CSFR exploits. I could add an image to http://example.com/member.php?action=logout then every user who loads it would get logged out because they would have the correct uid for their session.

Josh H.

2012-04-10, 01:42 AM
Exactly ^

Vicar

2012-04-10, 02:42 PM
I did not understand why can not fit the method of dragonexpert ..
The loginkey when it is created? Remains the same or change based on an event?

Tom K.

2012-04-10, 02:47 PM
It remains the same. But if you think, I can find out your uid by visiting your profile .

http://community.mybb.com/user-22157.html

Your user ID is 22157. Then I could simply hack your uid into my session (using a POST data editor via a plugin for Firefox) and visit the logout link, and log you out.

However, I have no way of finding your post key. It is randomly generated on signup. Mybb tells your computer what your post key is when you login, so your computer can authenticate yourself when logging out Smile

Vicar

2012-04-10, 05:32 PM
(2012-04-10, 02:47 PM)Tom K. Wrote: [ -> ]It remains the same. But if you think, I can find out your uid by visiting your profile .

http://community.mybb.com/user-22157.html

Your user ID is 22157. Then I could simply hack your uid into my session (using a POST data editor via a plugin for Firefox) and visit the logout link, and log you out.

However, I have no way of finding your post key. It is randomly generated on signup. Mybb tells your computer what your post key is when you login, so your computer can authenticate yourself when logging out Smile

I did not know you could edit a data session...
Now, i'm understand.

thank you.

Yusufmm

2014-10-12, 10:39 AM
(2012-04-10, 12:46 AM)Charlie Hadden Wrote: [ -> ]Because of CSFR exploits. I could add an image to http://example.com/member.php?action=logout then every user who loads it would get logged out because they would have the correct uid for their session.
If its about CSRF, Why not check the referal url (http_referer).
If the referal url is not the forum itself, dont make the user logout.

Omar G.

2014-10-12, 12:21 PM
It works fine just as it is.
Pages: 1 2
MyBB Community Forums > Community > General Discussion > Web Development and Administration > Loginkey