MyBB Community Forums

Full Version: generate_loginkey on every login
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
Isn't it more secure to generate new loginkey after every login?

I use cookie "mybbuser" for checking login outside of forum. And I wonder why loginkey never changes.

What if anyone get this cookie, he can use it to be as this user. And if we generate new loginkey every time on login, getting your cookie is not that useful, it will expire next time login.

And there is no any drawback.
(2014-10-25, 12:08 PM)Qiao Wrote: [ -> ]And there is no any drawback.
If the key used in the cookie is to expire on the next time the user logs in, keeping sessions on multiple devices would be impossible.
From memory, the loginkey changes if you change password, but people don't do it often.
Personally, I think it's one of the weakest points in the auth system - some sort of system which cycles the loginkey would be nice.

It's interesting when I see proof-of-concept SQL injections always target the password field. I've personally always targeted the loginkey instead. It also has the nice effect that when the vulnerability is patched, I can still "login" to target admin's account, and often maintain access for months thereafter.
(2014-10-25, 12:37 PM)Devilshakerz Wrote: [ -> ]If the key used in the cookie is to expire on the next time the user logs in, keeping sessions on multiple devices would be impossible.
Exactly, as people tend to have multiple devices these days (computer, tablet, smartphone) this would be really annoying.
Didn't think about multiple devices. Yep, it is small drawback.
Then it can be generated on logout. If you logout from one device - it will will be logged out everywhere. Maybe it is not good in some minor situations, but it is much more secure.

I will implement this as plugin for my forum as I use login cookie outside of forum. And I think that it can be considered for core.

If loginkey will be generated on login that will have nice effect, that if somebody get you password and will login, then you will be logged out, it alerts you that something is wrong.

I'll do this. multiple devices are not used simultaneously, you can just relogin every time you use new device, it is not a big dill. Feeling securely is.

Hell, you can be in this situations - you logged home and forgot to logout when leaving. What to do, what to do??!
Just login anywhere and everything is good! You wife will not access your account and read your private messages with that chick (she says she is a chick, you can be never sure). Your marriage is saved.
(2014-10-25, 05:55 PM)Qiao Wrote: [ -> ]
If loginkey will be generated on login that will have nice effect, that if somebody get you password and will login, then you will be logged out, it alerts you that something is wrong.
People will just assume it's business as usual as most of forum software does not inform that the session has expired and you have to log in again.

Quote:I'll do this. multiple devices are not used simultaneously, you can just relogin every time you use new device, it is not a big dill. Feeling securely is.
I can tell that you are not switching between devices couple of times a day and don't have complex passwords Wink


The problem is that the whole authentication mechanism is outdated and does not follow current security standards.

Auth sessions should have their own table in the database so each time a user logs in there is a new row inserted, which would contain user ID, unique session key and other authentication-related data, like the browser information and the IP address; also the time the session was created and the time of last activity within that session.
This way the auth cookie would contain only the session key and nothing else (UID or any other account-related information should not be included) and there would be much more control over the sessions. For example, it would be possible to display the list of devices that are logged into an account and terminate them remotely (currently it's possible only by changing the password and thus the loginkey, but it's only a techy trick known only to developers). Also the sessions could be ended basing on the mentioned timestamps.

If there are no plans for 1.9 (1.10), because reconstructing the auth system would require a minor version, this is yet another thing MyBB will stay behind with until 2.0.
There is a good thing for a weak authentication. It allows easily integrate forum with other software.
We'll see what it will be in 2.0.


But I just did it. I added loginkey regeneration on login and logout. I am feeling so safely now...

[Image: 1452142_720791124617274_1180899837_n.jpg]


I wonder will my forum users notice this...

Yep, it wasn't good Idea. I left it to administrator accounts only.

Btw, why not hash login key in database? It would prevent somebody use it if he access database.
Re-generating it on logout seems like a good idea.
(2014-10-25, 07:27 PM)Qiao Wrote: [ -> ]Btw, why not hash login key in database? It would prevent somebody use it if he access database.
This is an interesting concept. If we had a sessions table as described before all we'd need to do is to terminate all sessions, but that action can be taken only after discovering that keys are compromised, so storing only a hashed key would buy a webmaster some time.

(2014-10-28, 11:45 AM)Pirata Nervo Wrote: [ -> ]Re-generating it on logout seems like a good idea.
Still feels inconvenient to me. If I'm on multiple devices and I want to log out from a library computer, I'm out everywhere. It is more secure indeed, but it's the old auth system that needs overhauling because it's creating problems and patching them results in limiting the overall functionality (like this).
I agree with a separate auth session table.
Pages: 1 2